mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-26 06:04:08 -08:00
Merge pull request #14731 from snipe/features/csp_env
Fixed #14664 - allow additional urls in env for CSP
This commit is contained in:
commit
e5c358a1fe
|
@ -96,6 +96,7 @@ APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1
|
|||
ALLOW_IFRAMING=false
|
||||
REFERRER_POLICY=same-origin
|
||||
ENABLE_CSP=false
|
||||
ADDITIONAL_CSP_URLS=null
|
||||
CORS_ALLOWED_ORIGINS=null
|
||||
ENABLE_HSTS=false
|
||||
|
||||
|
|
|
@ -88,13 +88,13 @@ class SecurityHeaders
|
|||
$csp_policy[] = "connect-src 'self'";
|
||||
$csp_policy[] = "object-src 'none'";
|
||||
$csp_policy[] = "font-src 'self' data:";
|
||||
$csp_policy[] = "img-src 'self' data: ".config('app.url').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com';
|
||||
$csp_policy[] = "img-src 'self' data: ".config('app.url').' '.config('app.additional_csp_urls').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com';
|
||||
|
||||
if (config('filesystems.disks.public.driver') == 's3') {
|
||||
$csp_policy[] = "img-src 'self' data: ".config('filesystems.disks.public.url');
|
||||
}
|
||||
$csp_policy = join(';', $csp_policy);
|
||||
|
||||
|
||||
$response->headers->set('Content-Security-Policy', $csp_policy);
|
||||
}
|
||||
|
||||
|
|
|
@ -201,6 +201,9 @@ return [
|
|||
|
||||
'enable_csp' => env('ENABLE_CSP', true),
|
||||
|
||||
'additional_csp_urls' => env('ADDITIONAL_CSP_URLS', ''),
|
||||
|
||||
|
||||
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
|
|
Loading…
Reference in a new issue