Mirror
/
RoundcubeMail
mirror of https://github.com/roundcube/roundcubemail.git
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Send a configurable CSP in every HTML response 

The CSP gets adapted to remote objects being allowed or not.
It can be configured or disabled via the config option
`content_security_policy` (and
`content_security_policy_add_allow_remote`).
pull/9665/merge^2
Pablo Zmdl 11 months ago
parent
fa1f3bd852
commit
31f606d991
2 changed files with 29 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      config/defaults.inc.php
  2. 18
      program/include/rcmail_output_html.php

11
config/defaults.inc.php
View File

@ -1563,3 +1563,14 @@ $config['message_show_email'] = false;
// 0 - Reply-All always
// 1 - Reply-List if mailing list is detected
$config['reply_all_mode'] = 0;
// The Content-Security-Policy to use if no remote objects are allowed to
// be loaded. If you use plugins you might need to extend this.
// Only change this if you know what you're doing! You can break the whole
// application with changes to this setting!
// To disable completely set the value to `false`;
$config['content_security_policy'] = "default-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
// Additions to the Content-Security-Policy to use if remote objects *are*
// allowed to be loaded.
$config['content_security_policy_add_allow_remote'] = 'img-src *; media-src *; font-src: *; frame-src: *;';

18
program/include/rcmail_output_html.php
View File

@ -728,6 +728,8 @@ class rcmail_output_html extends rcmail_output
$this->header('X-Frame-Options: sameorigin', true);
}
}
$this->add_csp_header();
}
/**
@ -2717,4 +2719,20 @@ class rcmail_output_html extends rcmail_output
return $template_logo;
}
/**
* Add the Content-Security-Policy to the HTTP response headers (unless it
* is disabled).
*/
protected function add_csp_header(): void
{
$csp = $this->app->config->get('content_security_policy');
if (!in_array($csp, ['', false, 'false'])) {
$csp_header = "Content-Security-Policy: {$csp}";
if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
$csp_header .= $this->app->config->get('content_security_policy_add_allow_remote');
}
$this->header($csp_header);
}
}
}
Write Preview
Loading…
Cancel
Save