Changeset 3399040
- Timestamp:
- 11/19/2025 02:22:33 PM (4 months ago)
- File:
-
- 1 edited
-
secuplug/trunk/src/Lib/Middleware.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
secuplug/trunk/src/Lib/Middleware.php
r3366125 r3399040 102 102 $csp_policy = "frame-src 'self' https://www.google.com/ https://google.com/;"; 103 103 $csp_policy .= "worker-src 'self' blob:; "; 104 $csp_policy .= "script-src " . $csp_allowed_script_sources . "; "; 105 $csp_policy .= "style-src " . $csp_allowed_style_sources . "; "; 104 $csp_policy .= "script-src 'self' " . $csp_allowed_script_sources . "; "; 105 $csp_policy .= "style-src 'self' " . $csp_allowed_style_sources . "; "; 106 106 107 // Allows images from self, data URIs, and any HTTPS source. This is generally safe. 107 108 $csp_policy .= "img-src 'self' data: https:; "; 108 $csp_policy .= "font-src " . $csp_allowed_font_sources . "; "; 109 $csp_policy .= "font-src 'self' " . $csp_allowed_font_sources . "; "; 110 109 111 // Disallows plugins like Flash. 110 112 $csp_policy .= "object-src 'none'; "; 113 111 114 // Mitigates clickjacking. 112 115 $csp_policy .= "frame-ancestors 'self'; ";
Note: See TracChangeset
for help on using the changeset viewer.