2017-09-28 19:45:15 -07:00
|
|
|
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
|
|
|
|
use Closure;
|
|
|
|
|
|
|
|
class ContentSecurityPolicyHeader
|
|
|
|
{
|
|
|
|
/**
|
|
|
|
* Handle the given request and get the response.
|
|
|
|
*
|
|
|
|
* @param \Illuminate\Http\Request $request
|
|
|
|
* @param \Closure $next
|
|
|
|
* @return \Illuminate\Http\Response
|
|
|
|
*/
|
|
|
|
public function handle($request, Closure $next)
|
|
|
|
{
|
2017-09-29 04:53:09 -07:00
|
|
|
if ((config('app.debug')=='true') || (config('app.disable_csp')=='true')) {
|
2017-09-28 19:45:15 -07:00
|
|
|
$response = $next($request);
|
|
|
|
return $response;
|
|
|
|
}
|
|
|
|
|
|
|
|
$policy[] = "default-src 'self'";
|
|
|
|
$policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
|
|
|
|
$policy[] = "script-src 'self' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'";
|
|
|
|
$policy[] = "connect-src 'self'";
|
|
|
|
$policy[] = "object-src 'none'";
|
|
|
|
$policy[] = "font-src 'self' data:";
|
|
|
|
$policy[] = "img-src 'self' data: gravatar.com";
|
|
|
|
$policy = join(';', $policy);
|
|
|
|
|
|
|
|
$response = $next($request);
|
|
|
|
$response->headers->set('Content-Security-Policy', $policy);
|
|
|
|
return $response;
|
|
|
|
}
|
|
|
|
}
|