diff options
author | Justin Velluppillai <justin@innocraft.com> | 2021-09-02 07:43:15 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-02 07:43:15 +0300 |
commit | 33db50cccebf44823d2080d296d4ace848153d4f (patch) | |
tree | 8151a41500a19a00d9e5a461afc161e6cbeb0f03 | |
parent | 27d0af9ef317ca5050f904f9e34b802f084a7905 (diff) |
Expose methods to disable CSP or loosen it for embedded iframes (#17910)
-rw-r--r-- | core/View/SecurityPolicy.php | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/core/View/SecurityPolicy.php b/core/View/SecurityPolicy.php index ab403aa48a..3fc042329f 100644 --- a/core/View/SecurityPolicy.php +++ b/core/View/SecurityPolicy.php @@ -16,6 +16,13 @@ use Piwik\Config; */ class SecurityPolicy { + /* + * Commonly used rules + */ + const RULE_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval'"; + const RULE_IMG_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval' data:" + const RULE_EMBEDDED_FRAME = "'self' 'unsafe-inline' 'unsafe-eval' data: https: http:"; + /** * The policies that will generate the CSP header. * These are keyed by the directive. @@ -31,7 +38,8 @@ class SecurityPolicy * Constructor. */ public function __construct(Config $config) { - $this->policies['default-src'] = "'self' 'unsafe-inline' 'unsafe-eval'"; + $this->policies['default-src'] = self::RULE_DEFAULT; + $this->policies['img-src'] = self::RULE_IMG_DEFAULT; $generalConfig = $config->General; $this->cspEnabled = $generalConfig['csp_enabled']; @@ -69,6 +77,14 @@ class SecurityPolicy } /** + * Disable CSP + * + */ + public function disable() { + $this->cspEnabled = false; + } + + /** * Creates the Header String that can be inserted in the Content-Security-Policy header. * * @return string @@ -89,4 +105,14 @@ class SecurityPolicy return $headerString; } + + /** + * A less restrictive CSP which will allow embedding other sites with iframes + * (useful for heatmaps and session recordings) + * + */ + public function allowEmbedPage() { + $this->overridePolicy('default-src', self::RULE_EMBEDDED_FRAME); + $this->addPolicy('script-src', self::RULE_DEFAULT); + } } |