Expose methods to disable CSP or loosen it for embedded iframes (#17910)

1 files changed, 27 insertions, 1 deletions

diff --git a/core/View/SecurityPolicy.php b/core/View/SecurityPolicy.php
index ab403aa48a..3fc042329f 100644
--- a/core/View/SecurityPolicy.php
+++ b/core/View/SecurityPolicy.php
@@ -16,6 +16,13 @@ use Piwik\Config;
  */
 class SecurityPolicy
 {
+    /*
+     * Commonly used rules
+     */
+    const RULE_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval'";
+    const RULE_IMG_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval' data:"
+    const RULE_EMBEDDED_FRAME = "'self' 'unsafe-inline' 'unsafe-eval' data: https: http:";
+
     /**
      * The policies that will generate the CSP header.
      * These are keyed by the directive.
@@ -31,7 +38,8 @@ class SecurityPolicy
      * Constructor.
      */
     public function __construct(Config $config) {
-        $this->policies['default-src'] = "'self' 'unsafe-inline' 'unsafe-eval'";
+        $this->policies['default-src'] = self::RULE_DEFAULT;
+        $this->policies['img-src'] = self::RULE_IMG_DEFAULT;
 
         $generalConfig = $config->General;
         $this->cspEnabled = $generalConfig['csp_enabled'];
@@ -69,6 +77,14 @@ class SecurityPolicy
     }
 
     /**
+     * Disable CSP
+     *
+     */
+    public function disable() {
+        $this->cspEnabled = false;
+    }
+
+    /**
      * Creates the Header String that can be inserted in the Content-Security-Policy header.
      *
      * @return string
@@ -89,4 +105,14 @@ class SecurityPolicy
 
         return $headerString;
     }
+
+    /**
+     * A less restrictive CSP which will allow embedding other sites with iframes
+     * (useful for heatmaps and session recordings)
+     *
+     */
+    public function allowEmbedPage() {
+        $this->overridePolicy('default-src', self::RULE_EMBEDDED_FRAME);
+        $this->addPolicy('script-src', self::RULE_DEFAULT);
+    }
 }