diff options
author | Thomas Steur <tsteur@users.noreply.github.com> | 2021-09-02 08:14:54 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-02 08:14:54 +0300 |
commit | c2791af204f24b1b61ae293af571c1279d0ac3ca (patch) | |
tree | 4af2f599d76ae1b4c6e73340ca55b9eb5b52e0a9 | |
parent | 33db50cccebf44823d2080d296d4ace848153d4f (diff) |
Revert "Expose methods to disable CSP or loosen it for embedded iframes (#17910)" (#17952)
This reverts commit 33db50cccebf44823d2080d296d4ace848153d4f.
-rw-r--r-- | core/View/SecurityPolicy.php | 28 |
1 files changed, 1 insertions, 27 deletions
diff --git a/core/View/SecurityPolicy.php b/core/View/SecurityPolicy.php index 3fc042329f..ab403aa48a 100644 --- a/core/View/SecurityPolicy.php +++ b/core/View/SecurityPolicy.php @@ -16,13 +16,6 @@ use Piwik\Config; */ class SecurityPolicy { - /* - * Commonly used rules - */ - const RULE_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval'"; - const RULE_IMG_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval' data:" - const RULE_EMBEDDED_FRAME = "'self' 'unsafe-inline' 'unsafe-eval' data: https: http:"; - /** * The policies that will generate the CSP header. * These are keyed by the directive. @@ -38,8 +31,7 @@ class SecurityPolicy * Constructor. */ public function __construct(Config $config) { - $this->policies['default-src'] = self::RULE_DEFAULT; - $this->policies['img-src'] = self::RULE_IMG_DEFAULT; + $this->policies['default-src'] = "'self' 'unsafe-inline' 'unsafe-eval'"; $generalConfig = $config->General; $this->cspEnabled = $generalConfig['csp_enabled']; @@ -77,14 +69,6 @@ class SecurityPolicy } /** - * Disable CSP - * - */ - public function disable() { - $this->cspEnabled = false; - } - - /** * Creates the Header String that can be inserted in the Content-Security-Policy header. * * @return string @@ -105,14 +89,4 @@ class SecurityPolicy return $headerString; } - - /** - * A less restrictive CSP which will allow embedding other sites with iframes - * (useful for heatmaps and session recordings) - * - */ - public function allowEmbedPage() { - $this->overridePolicy('default-src', self::RULE_EMBEDDED_FRAME); - $this->addPolicy('script-src', self::RULE_DEFAULT); - } } |