Commit 4df8ce2c authored by Christophe Maudoux's avatar Christophe Maudoux 🐛

Set formAction CSP from Manager (#1499)

parent f97a8105
...@@ -33,6 +33,7 @@ sub defaultValues { ...@@ -33,6 +33,7 @@ sub defaultValues {
'cspConnect' => '\'self\'', 'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'', 'cspDefault' => '\'self\'',
'cspFont' => '\'self\'', 'cspFont' => '\'self\'',
'cspFormAction' => '*',
'cspImg' => '\'self\' data:', 'cspImg' => '\'self\' data:',
'cspScript' => '\'self\'', 'cspScript' => '\'self\'',
'cspStyle' => '\'self\'', 'cspStyle' => '\'self\'',
......
...@@ -919,6 +919,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] ...@@ -919,6 +919,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => '\'self\'', 'default' => '\'self\'',
'type' => 'text' 'type' => 'text'
}, },
'cspFormAction' => {
'default' => '*',
'type' => 'text'
},
'cspImg' => { 'cspImg' => {
'default' => '\'self\' data:', 'default' => '\'self\' data:',
'type' => 'text' 'type' => 'text'
......
...@@ -613,6 +613,11 @@ sub attributes { ...@@ -613,6 +613,11 @@ sub attributes {
default => "'self'", default => "'self'",
documentation => 'Default value for Content-Security-Policy', documentation => 'Default value for Content-Security-Policy',
}, },
cspFormAction => {
type => 'text',
default => "*",
documentation => 'Form action for Content-Security-Policy',
},
cspImg => { cspImg => {
type => 'text', type => 'text',
default => "'self' data:", default => "'self' data:",
......
...@@ -745,6 +745,7 @@ sub tree { ...@@ -745,6 +745,7 @@ sub tree {
'cspDefault', 'cspImg', 'cspDefault', 'cspImg',
'cspScript', 'cspStyle', 'cspScript', 'cspStyle',
'cspConnect', 'cspFont', 'cspConnect', 'cspFont',
'cspFormAction',
] ]
}, },
'requireToken', 'requireToken',
......
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -733,7 +733,7 @@ sub sendHtml { ...@@ -733,7 +733,7 @@ sub sendHtml {
'X-Content-Type-Options' => 'nosniff'; 'X-Content-Type-Options' => 'nosniff';
# Set authorized URL for POST # Set authorized URL for POST
my $csp = $self->csp . "form-action 'self'"; my $csp = $self->csp . "form-action 'self' " . $self->conf->{cspFormAction};
if ( my $url = $req->urldc ) { if ( my $url = $req->urldc ) {
$self->logger->debug("Required urldc : $url"); $self->logger->debug("Required urldc : $url");
$url =~ s#(https?://[^/]+).*#$1#; $url =~ s#(https?://[^/]+).*#$1#;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment