Commit 2dd22811 authored by Xavier Guimard's avatar Xavier Guimard

Finish portal CSP (#1138)

parent 942be414
......@@ -634,14 +634,13 @@ sub _dump {
sub sendHtml {
my ( $self, $req, $template, %args ) = @_;
my $csp = $self->csp;
my $csp = $self->csp . "form-action 'self'";
push @{ $req->respHeaders },
'X-XSS-Protection' => '1; mode=block',
'X-Content-Type-Options' => 'nosniff';
$csp .= "form-action 'self'";
my $url = $args{params}->{URL};
if ( $url and $url =~ s#https?://([^/]+).*#$1# ) {
$csp .= $url;
$csp .= " $url";
}
$csp .= ';';
unless ( $self->conf->{portalAntiFrame} == 0 ) {
......@@ -651,7 +650,7 @@ sub sendHtml {
( $req->info =~ /<iframe.*?src="(.*?)"/sg );
}
if (@url) {
$csp = join 'frame-ancestors', @url;
$csp .= join( ' ', 'frame-ancestors', @url ) . ';';
}
else {
push @{ $req->respHeaders }, 'X-Frame-Options' => 'DENY';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment