Commit 4df8ce2c authored by Christophe Maudoux's avatar Christophe Maudoux

Set formAction CSP from Manager (#1499)

parent f97a8105
......@@ -33,6 +33,7 @@ sub defaultValues {
'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'',
'cspFont' => '\'self\'',
'cspFormAction' => '*',
'cspImg' => '\'self\' data:',
'cspScript' => '\'self\'',
'cspStyle' => '\'self\'',
......
......@@ -919,6 +919,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => '\'self\'',
'type' => 'text'
},
'cspFormAction' => {
'default' => '*',
'type' => 'text'
},
'cspImg' => {
'default' => '\'self\' data:',
'type' => 'text'
......
......@@ -613,6 +613,11 @@ sub attributes {
default => "'self'",
documentation => 'Default value for Content-Security-Policy',
},
cspFormAction => {
type => 'text',
default => "*",
documentation => 'Form action for Content-Security-Policy',
},
cspImg => {
type => 'text',
default => "'self' data:",
......
......@@ -745,6 +745,7 @@ sub tree {
'cspDefault', 'cspImg',
'cspScript', 'cspStyle',
'cspConnect', 'cspFont',
'cspFormAction',
]
},
'requireToken',
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -733,7 +733,7 @@ sub sendHtml {
'X-Content-Type-Options' => 'nosniff';
# Set authorized URL for POST
my $csp = $self->csp . "form-action 'self'";
my $csp = $self->csp . "form-action 'self' " . $self->conf->{cspFormAction};
if ( my $url = $req->urldc ) {
$self->logger->debug("Required urldc : $url");
$url =~ s#(https?://[^/]+).*#$1#;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment