Allow plugins to override CSP rules

2015-10-10 18:59:06 -04:00 · 2015-10-10 18:59:06 -04:00 · 0e233673e3
parent e3521db6a8
commit 0e233673e3
4 changed files with 34 additions and 2 deletions
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@ -80,7 +80,7 @@ abstract class Base extends \Core\Base
    private function sendHeaders($action)
    {
        // HTTP secure headers
-        $this->response->csp(array('style-src' => "'self' 'unsafe-inline'", 'img-src' => '* data:'));
+        $this->response->csp($this->container['cspRules']);
        $this->response->nosniff();
        $this->response->xss();

--- a/app/Core/Plugin/Base.php
+++ b/app/Core/Plugin/Base.php
@ -18,6 +18,17 @@ abstract class Base extends \Core\Base
     */
    abstract public function initialize();

+    /**
+     * Override default CSP rules
+     *
+     * @access public
+     * @param  array  $rules
+     */
+    public function setContentSecurityPolicy(array $rules)
+    {
+        $this->container['cspRules'] = $rules;
+    }
+
    /**
     * Returns all classes that needs to be stored in the DI container
     *
--- a/app/ServiceProvider/ClassProvider.php
+++ b/app/ServiceProvider/ClassProvider.php
@ -126,5 +126,7 @@ class ClassProvider implements ServiceProviderInterface
        };

        $container['pluginLoader'] = new Loader($container);
+
+        $container['cspRules'] = array('style-src' => "'self' 'unsafe-inline'", 'img-src' => '* data:');
    }
 }
--- a/doc/plugins.markdown
+++ b/doc/plugins.markdown
@ -198,7 +198,7 @@ Example to add new content in the dashboard sidebar:
 $this->template->hook->attach('template:dashboard:sidebar', 'myplugin:dashboard/sidebar');
 ```

-This call is usually defined in the `initialize()` method. 
+This call is usually defined in the `initialize()` method.
 The first argument is name of the hook and the second argument is the template name.

 Template names prefixed with the plugin name and colon indicate the location of the template.
@ -329,6 +329,25 @@ $this->on('session.bootstrap', function($container) {

 The translations must be stored in `plugins/Myplugin/Locale/xx_XX/translations.php`.

+Override HTTP Content Security Policy
+-------------------------------------
+
+If you would like to replace the default HTTP Content Security Policy header, you can use the method `setContentSecurityPolicy()`:
+
+```php
+<?php
+
+namespace Plugin\Csp;
+
+class Plugin extends \Core\Plugin\Base
+{
+    public function initialize()
+    {
+        $this->setContentSecurityPolicy(array('script-src' => 'something'));
+    }
+}
+```
+
 Dependency Injection Container
 ------------------------------