snipe-it/app/Http/Middleware/ContentSecurityPolicyHeader.php

<?php
namespace App\Http\Middleware;

use Closure;

class ContentSecurityPolicyHeader
{
    /**
     * Handle the given request and get the response.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return \Illuminate\Http\Response
     */
    public function handle($request, Closure $next)
    {
        if ((config('app.debug')=='true')  || (config('app.enable_csp')!='true')) {
            $response = $next($request);
            return $response;
        }

        $policy[] = "default-src 'self'";
        $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
        $policy[] = "script-src 'self' 'unsafe-inline' oss.mafxcdn.com cdnjs.cloudflare.com'";
        $policy[] = "connect-src 'self'";
        $policy[] = "object-src 'none'";
        $policy[] = "font-src 'self' data:";
        $policy[] = "img-src 'self' data: gravatar.com";
        $policy = join(';', $policy);

        $response = $next($request);
        $response->headers->set('Content-Security-Policy', $policy);
        return $response;
    }
}
Added content security middleware 2017-09-28 19:45:15 -07:00			`<?php`
			`namespace App\Http\Middleware;`

			`use Closure;`

			`class ContentSecurityPolicyHeader`
			`{`
			`/**`
			`* Handle the given request and get the response.`
			`*`
			`* @param \Illuminate\Http\Request $request`
			`* @param \Closure $next`
			`* @return \Illuminate\Http\Response`
			`*/`
			`public function handle($request, Closure $next)`
			`{`
Default to turning CSP off until we can fix vue/CSP issues 2017-10-02 13:29:14 -07:00			`if ((config('app.debug')=='true') \|\| (config('app.enable_csp')!='true')) {`
Added content security middleware 2017-09-28 19:45:15 -07:00			`$response = $next($request);`
			`return $response;`
			`}`

			`$policy[] = "default-src 'self'";`
			`$policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";`
Removed nonce for now There is a dependency in a package where we can’t edit the script tags to add the nonce 2017-11-02 10:57:05 -07:00			`$policy[] = "script-src 'self' 'unsafe-inline' oss.mafxcdn.com cdnjs.cloudflare.com'";`
Added content security middleware 2017-09-28 19:45:15 -07:00			`$policy[] = "connect-src 'self'";`
			`$policy[] = "object-src 'none'";`
			`$policy[] = "font-src 'self' data:";`
			`$policy[] = "img-src 'self' data: gravatar.com";`
			`$policy = join(';', $policy);`

			`$response = $next($request);`
			`$response->headers->set('Content-Security-Policy', $policy);`
			`return $response;`
			`}`
			`}`