From 7428e2d7cdaa2551b72b8a821eebfe73884bcaa7 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Tue, 7 Jul 2020 13:18:28 +0200 Subject: [PATCH] do not add path of url to CSP --- api/src/Header/ContentSecurityPolicy.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/api/src/Header/ContentSecurityPolicy.php b/api/src/Header/ContentSecurityPolicy.php index 0b2de5b475..b145e69a83 100644 --- a/api/src/Header/ContentSecurityPolicy.php +++ b/api/src/Header/ContentSecurityPolicy.php @@ -86,6 +86,11 @@ class ContentSecurityPolicy { $attr = "'$attr'"; // automatic add quotes } + // only add scheme and host, not path + elseif ($source !== 'report-uri' && ($parsed=parse_url($attr)) && !empty($parsed['scheme']) && !empty($parsed['path'])) + { + $attr = $parsed['scheme'].'://'.$parsed['host'].(!empty($parsed['port']) ? ':'.$parsed['port'] : ''); + } if (!in_array($attr, self::$sources[$source])) { self::$sources[$source][] = $attr;