DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2024-12-26 06:04:08 -08:00
Code Issues Actions 11 Packages Projects Releases Wiki Activity

Merge pull request #14731 from snipe/features/csp_env

Browse source 
Fixed #14664 - allow additional urls in env for CSP
This commit is contained in:
snipe 2024-05-16 22:25:11 +01:00 committed by GitHub
parent 7fdbbc846e 52c906f6b8
commit e5c358a1fe
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.env.example
View file

@ -96,6 +96,7 @@ APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1
ALLOW_IFRAMING=false ALLOW_IFRAMING=false
REFERRER_POLICY=same-origin REFERRER_POLICY=same-origin
ENABLE_CSP=false ENABLE_CSP=false
ADDITIONAL_CSP_URLS=null
CORS_ALLOWED_ORIGINS=null CORS_ALLOWED_ORIGINS=null
ENABLE_HSTS=false ENABLE_HSTS=false

4
app/Http/Middleware/SecurityHeaders.php
View file

@ -88,13 +88,13 @@ class SecurityHeaders
$csp_policy[] = "connect-src 'self'"; $csp_policy[] = "connect-src 'self'";
$csp_policy[] = "object-src 'none'"; $csp_policy[] = "object-src 'none'";
$csp_policy[] = "font-src 'self' data:"; $csp_policy[] = "font-src 'self' data:";
$csp_policy[] = "img-src 'self' data: ".config('app.url').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com'; $csp_policy[] = "img-src 'self' data: ".config('app.url').' '.config('app.additional_csp_urls').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com';
if (config('filesystems.disks.public.driver') == 's3') { if (config('filesystems.disks.public.driver') == 's3') {
$csp_policy[] = "img-src 'self' data: ".config('filesystems.disks.public.url'); $csp_policy[] = "img-src 'self' data: ".config('filesystems.disks.public.url');
} }
$csp_policy = join(';', $csp_policy); $csp_policy = join(';', $csp_policy);
$response->headers->set('Content-Security-Policy', $csp_policy); $response->headers->set('Content-Security-Policy', $csp_policy);
} }

3
config/app.php
View file

@ -201,6 +201,9 @@ return [
'enable_csp' => env('ENABLE_CSP', true), 'enable_csp' => env('ENABLE_CSP', true),
'additional_csp_urls' => env('ADDITIONAL_CSP_URLS', ''),
/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------