Added option to application.ini for CSP reporting

This commit is contained in:
the-djmaze 2022-02-14 14:58:35 +01:00
parent 6c71f25f50
commit 5e9c83c1a8
3 changed files with 9 additions and 1 deletions

View file

@ -181,6 +181,7 @@ class Application extends \RainLoop\Config\AbstractConfig
'admin_panel_host' => array(''),
'admin_panel_key' => array('admin'),
'content_security_policy' => array(''),
'csp_report' => array(false),
'encrypt_cipher' => array($sCipher)
),

View file

@ -241,7 +241,9 @@ abstract class Service
private static function setCSP(string $sScriptNonce = null) : void
{
$CSP = new \SnappyMail\HTTP\CSP(\trim(Api::Config()->Get('security', 'content_security_policy', '')));
$CSP->report = Api::Config()->Get('security', 'csp_report', false);
$CSP->report_only = Api::Config()->Get('debug', 'enable', false); // '0.0.0' === APP_VERSION
// Allow https: due to remote images in e-mails or use proxy
if (!Api::Config()->Get('security', 'use_local_proxy_for_external_images', '')) {
$CSP->img[] = 'https:';

View file

@ -15,6 +15,8 @@ class CSP
$img = ["'self'", 'data:'],
$style = ["'self'", "'unsafe-inline'"],
$frame = [],
$report = false,
$report_to = [],
$report_only = false;
@ -49,8 +51,11 @@ class CSP
if ($this->frame) {
$params[] = 'frame-src ' . \implode(' ', $this->frame);
}
// Deprecated
$params[] = 'report-uri ./?/CspReport';
if ($this->report) {
$params[] = 'report-uri ./?/CspReport';
}
return \implode('; ', $params);
}