From 8077bdb0b5c00eb6f625f861a53cb808c923b8ff Mon Sep 17 00:00:00 2001 From: Eliseu Amaro Date: Wed, 17 Nov 2021 01:12:36 +0000 Subject: [PATCH] [CORE][Controller] CSP default-src changed to 'self' to allow internal redirects. --- src/Core/Controller.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/Core/Controller.php b/src/Core/Controller.php index a69349d60b..910a327232 100644 --- a/src/Core/Controller.php +++ b/src/Core/Controller.php @@ -126,7 +126,7 @@ abstract class Controller extends AbstractController implements EventSubscriberI $this->vars = array_merge_recursive($this->vars, $response); - $template = \array_key_exists('_template', $this->vars) ? $this->vars['_template'] : null; + $template = $this->vars['_template'] ?? null; Event::handle('OverrideTemplate', [$this->vars, &$template]); // Allow plugins to replace the template used for anything unset($this->vars['_template'], $response['_template']); @@ -150,8 +150,9 @@ abstract class Controller extends AbstractController implements EventSubscriberI $event->setResponse($this->render($template, $this->vars)); // Setting the Content-Security-Policy response header - $policy = "default-src 'self' 'unsafe-inline';" - . "script-src 'self' 'unsafe-inline'"; + $policy = "default-src 'self';" + . "script-src 'strict-dynamic' https: http:;" + . "object-src 'none'; base-uri 'none'"; $potential_response = $event->getResponse(); $potential_response->headers->set('Content-Security-Policy', $policy); $potential_response->headers->set('X-Content-Security-Policy', $policy);