Merge pull request #14731 from snipe/features/csp_env

Fixed #14664 - allow additional urls in env for CSP

.env.example

@@ -96,6 +96,7 @@ APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1
 ALLOW_IFRAMING=false
 REFERRER_POLICY=same-origin
 ENABLE_CSP=false
+ADDITIONAL_CSP_URLS=null
 CORS_ALLOWED_ORIGINS=null
 ENABLE_HSTS=false
 

app/Http/Middleware/SecurityHeaders.php

@@ -88,13 +88,13 @@ class SecurityHeaders
             $csp_policy[] = "connect-src 'self'";
             $csp_policy[] = "object-src 'none'";
             $csp_policy[] = "font-src 'self' data:";
-            $csp_policy[] = "img-src 'self' data: ".config('app.url').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com';
+            $csp_policy[] = "img-src 'self' data: ".config('app.url').' '.config('app.additional_csp_urls').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com';
 	          
             if (config('filesystems.disks.public.driver') == 's3') {
                $csp_policy[] = "img-src 'self' data:  ".config('filesystems.disks.public.url');
             }
             $csp_policy = join(';', $csp_policy);
-           
+
             $response->headers->set('Content-Security-Policy', $csp_policy);
         }
 

config/app.php

@@ -201,6 +201,9 @@ return [
 
     'enable_csp' => env('ENABLE_CSP', true),
 
+    'additional_csp_urls' => env('ADDITIONAL_CSP_URLS', ''),
+
+
 
     /*
     |--------------------------------------------------------------------------