Added some CSP info

This commit is contained in:
the-djmaze 2023-12-01 22:59:36 +01:00
parent b0fea1e7c1
commit 004de4e48c

View file

@ -12,6 +12,9 @@ class CSP
$report_to = [], $report_to = [],
$report_only = false; $report_only = false;
/**
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#directives
*/
private $directives = [ private $directives = [
'base-uri' => ["'self'"], 'base-uri' => ["'self'"],
'default-src' => ["'self'", 'data:'], 'default-src' => ["'self'", 'data:'],
@ -79,7 +82,7 @@ class CSP
} else { } else {
\header('Content-Security-Policy: ' . $this); \header('Content-Security-Policy: ' . $this);
} }
if (empty($this->directives['frame-ancestors'])) { if (empty($this->directives['frame-ancestors']) || \in_array('none', $this->directives['frame-ancestors'])) {
\header('X-Frame-Options: DENY'); \header('X-Frame-Options: DENY');
} else { } else {
// \header('X-Frame-Options: SAMEORIGIN'); // \header('X-Frame-Options: SAMEORIGIN');