From 0340b080ad8fa739db23dec5930bc05d78ea08e0 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 29 Apr 2023 19:39:42 +0100
Subject: [PATCH] CSP - Client Portal Test

Add initial content security policy trial/test to some client portal pages
---
 portal/index.php         | 2 ++
 portal/invoices.php      | 2 ++
 portal/login.php         | 2 ++
 portal/portal_header.php | 4 ++--
 portal/profile.php       | 2 ++
 portal/tickets.php       | 2 ++
 6 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/portal/index.php b/portal/index.php
index a267fc60..78528659 100644
--- a/portal/index.php
+++ b/portal/index.php
@@ -4,6 +4,8 @@
  * Landing / Home page for the client portal
  */
 
+header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+
 require_once("inc_portal.php");
 
 ?>
diff --git a/portal/invoices.php b/portal/invoices.php
index e33ab9a9..8aa9c4f2 100644
--- a/portal/invoices.php
+++ b/portal/invoices.php
@@ -4,6 +4,8 @@
  * Invoices for PTC
  */
 
+header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+
 require_once("inc_portal.php");
 
 if ($session_contact_id !== $session_client_primary_contact_id && !$session_contact_is_billing_contact) {
diff --git a/portal/login.php b/portal/login.php
index f4238184..524413bb 100644
--- a/portal/login.php
+++ b/portal/login.php
@@ -4,6 +4,8 @@
  * Landing / Home page for the client portal
  */
 
+header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+
 header("X-Frame-Options: DENY");
 
 $session_company_id = 1;
diff --git a/portal/portal_header.php b/portal/portal_header.php
index fee3d03c..185f81e2 100644
--- a/portal/portal_header.php
+++ b/portal/portal_header.php
@@ -4,7 +4,7 @@
  * HTML Header
  */
 
-header("X-Frame-Options: DENY");
+header("X-Frame-Options: DENY"); // Legacy
 ?>
 
 <!DOCTYPE html>
@@ -12,7 +12,7 @@ header("X-Frame-Options: DENY");
 <head>
     <meta charset="utf-8">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
-    <title><?php echo htmlentities($company_name); ?> | Client Portal - Tickets</title>
+    <title><?php echo htmlentities($company_name); ?> | Client Portal</title>
 
     <!-- Tell the browser to be responsive to screen width -->
     <meta name="viewport" content="width=device-width, initial-scale=1">
diff --git a/portal/profile.php b/portal/profile.php
index 8ab65e3b..cac8630a 100644
--- a/portal/profile.php
+++ b/portal/profile.php
@@ -4,6 +4,8 @@
  * User profile
  */
 
+header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+
 require_once('inc_portal.php');
 ?>
 
diff --git a/portal/tickets.php b/portal/tickets.php
index 4aeb34b3..dc0ff296 100644
--- a/portal/tickets.php
+++ b/portal/tickets.php
@@ -4,6 +4,8 @@
  * Landing / Home page for the client portal
  */
 
+header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+
 require_once("inc_portal.php");
 
 // Ticket status from GET