Beanz/flatpress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update plugin.fpprotect.php

Browse Source 
The CSP directives should only apply to HTTPS and not to HTTP connections.
This commit is contained in:
Frank Hochmuth 2024-04-22 23:58:32 +02:00 committed by GitHub
parent 3c5adce3fe
commit 944476d059
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
fp-plugins/fpprotect/plugin.fpprotect.php
View File

@ -8,6 +8,9 @@
* Author URI: https://www.flatpress.org * Author URI: https://www.flatpress.org
*/ */
if (function_exists('is_https')) {
if (is_https()) {
// Content Security Policy rules for Youtube, Facebook and Vimeo embedded video / BBCode [video], embedded OSM // Content Security Policy rules for Youtube, Facebook and Vimeo embedded video / BBCode [video], embedded OSM
header('Content-Security-Policy: default-src https: data:; frame-src https: data:; base-uri \'self\'; font-src https: data:; script-src https: \'unsafe-inline\' \'unsafe-eval\' blob:; style-src https: \'unsafe-inline\'; img-src https: data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src https: blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\'; object-src \'self\''); header('Content-Security-Policy: default-src https: data:; frame-src https: data:; base-uri \'self\'; font-src https: data:; script-src https: \'unsafe-inline\' \'unsafe-eval\' blob:; style-src https: \'unsafe-inline\'; img-src https: data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src https: blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\'; object-src \'self\'');
header('X-Content-Security-Policy: default-src https: data:; frame-src https: data:; base-uri \'self\'; font-src https: data:; script-src https: \'unsafe-inline\' \'unsafe-eval\' blob:; style-src https: \'unsafe-inline\'; img-src https: data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src https: blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\'; object-src \'self\''); header('X-Content-Security-Policy: default-src https: data:; frame-src https: data:; base-uri \'self\'; font-src https: data:; script-src https: \'unsafe-inline\' \'unsafe-eval\' blob:; style-src https: \'unsafe-inline\'; img-src https: data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src https: blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\'; object-src \'self\'');
@ -19,5 +22,7 @@ header('Referrer-Policy: strict-origin-when-cross-origin');
header('Strict-Transport-Security: max-age=15552000; includeSubDomains'); header('Strict-Transport-Security: max-age=15552000; includeSubDomains');
header('X-Permitted-Cross-Domain-Policies: none'); header('X-Permitted-Cross-Domain-Policies: none');
header('X-Download-Options: noopen'); header('X-Download-Options: noopen');
?> }
}
?>