Set CSP header to prevent XSS (#17798)

* Set CSP header to prevent XSS * Add config setting to disable CSP or enable report-only mode * Modify settings and remove deprecated report-uri * Adding tests * Added tests for different settings * Prefer DI Co-authored-by: Stefan Giehl <stefan@matomo.org> * SecurityPolicy objects now constructed with Config parameter * Updates expected UI test file Co-authored-by: Stefan Giehl <stefan@matomo.org>
author: Justin Velluppillai <justin@innocraft.com> 2021-08-12 15:35:13 +0300
committer: GitHub <noreply@github.com> 2021-08-12 15:35:13 +0300
commit: ca8e320ff9011d7146b7200c8c41bb0e39a4a846 (patch)
tree: 81859e42f3a0c91e32846d7f854017e4b6ceb39c /config
parent: 9873cb71e66be0f80839c76e923c3b866dd23b46 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/config/global.ini.php b/config/global.ini.php
index 27022bd64e..0f1e6dde49 100755
--- a/config/global.ini.php
+++ b/config/global.ini.php
@@ -437,6 +437,13 @@ password_hash_argon2_time_cost = default
 ; it is recommended for security reasons to always use Matomo over https
 force_ssl = 0
 
+; If set to 1, Matomo will send a Content-Security-Policy header
+csp_enabled = 1
+
+; If set, and csp_enabled is on, Matomo will send a report-uri in the Content-Security-Policy-Report-Only header
+; instead of a Content-Security-Policy header.
+csp_report_only = 1
+
 ; If set to 1 Matomo will prefer using SERVER_NAME variable over HTTP_HOST.
 ; This can add an additional layer of security as SERVER_NAME can not be manipulated by sending custom host headers when configure correctly.
 host_validation_use_server_name = 0
author	Justin Velluppillai <justin@innocraft.com>	2021-08-12 15:35:13 +0300
committer	GitHub <noreply@github.com>	2021-08-12 15:35:13 +0300
commit	ca8e320ff9011d7146b7200c8c41bb0e39a4a846 (patch)
tree	81859e42f3a0c91e32846d7f854017e4b6ceb39c /config
parent	9873cb71e66be0f80839c76e923c3b866dd23b46 (diff)