[CORE][Controller] CSP default-src changed to 'self' to allow internal redirects.

This commit is contained in:
Eliseu Amaro 2021-11-17 01:12:36 +00:00
parent 1d31bd651e
commit 8077bdb0b5
Signed by: eliseuamaro
GPG Key ID: 96DA09D4B97BC2D5

View File

@ -126,7 +126,7 @@ abstract class Controller extends AbstractController implements EventSubscriberI
$this->vars = array_merge_recursive($this->vars, $response); $this->vars = array_merge_recursive($this->vars, $response);
$template = \array_key_exists('_template', $this->vars) ? $this->vars['_template'] : null; $template = $this->vars['_template'] ?? null;
Event::handle('OverrideTemplate', [$this->vars, &$template]); // Allow plugins to replace the template used for anything Event::handle('OverrideTemplate', [$this->vars, &$template]); // Allow plugins to replace the template used for anything
unset($this->vars['_template'], $response['_template']); unset($this->vars['_template'], $response['_template']);
@ -150,8 +150,9 @@ abstract class Controller extends AbstractController implements EventSubscriberI
$event->setResponse($this->render($template, $this->vars)); $event->setResponse($this->render($template, $this->vars));
// Setting the Content-Security-Policy response header // Setting the Content-Security-Policy response header
$policy = "default-src 'self' 'unsafe-inline';" $policy = "default-src 'self';"
. "script-src 'self' 'unsafe-inline'"; . "script-src 'strict-dynamic' https: http:;"
. "object-src 'none'; base-uri 'none'";
$potential_response = $event->getResponse(); $potential_response = $event->getResponse();
$potential_response->headers->set('Content-Security-Policy', $policy); $potential_response->headers->set('Content-Security-Policy', $policy);
$potential_response->headers->set('X-Content-Security-Policy', $policy); $potential_response->headers->set('X-Content-Security-Policy', $policy);