holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

adding CSP frame-ancestors 'self' policy to mitigate clickjacking

Browse Source
This commit is contained in:
Ralf Becker 2020-01-28 18:19:40 +01:00
parent 2ea9549dcf
commit 57ab6f667c
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/src/Header/ContentSecurityPolicy.php
View File

@ -27,6 +27,7 @@ class ContentSecurityPolicy
* - "style-src 'self' 'unsafe-inline'" allows only self and inline style, which we need
* - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org
* - "manifest-src 'self'"
* - "'"frame-ancestors 'self'" does not allow to frame (embed in frameset) other then self / clickjacking protection
* - "media-src 'self' data:"
* - "img-src 'self' data: https:"
* - "default-src 'none'" disallows all not explicitly set sources
@ -39,6 +40,7 @@ class ContentSecurityPolicy
'connect-src' => null, // NOT array(), to allow setting no default connect-src!
'frame-src' => null, // NOT array(), to allow setting no default frame-src!
'manifest-src'=> ["'self'"],
'frame-ancestors' => ["'self'"], // does not allow to frame (embed in frameset) other then self / clickjacking protection
'media-src' => ["data:"],
'img-src' => ["data:", "https:"],
'default-src' => ["'none'"], // disallows all not explicit set sources!