Set CSP header to prevent XSS (#17798)

* Set CSP header to prevent XSS * Add config setting to disable CSP or enable report-only mode * Modify settings and remove deprecated report-uri * Adding tests * Added tests for different settings * Prefer DI Co-authored-by: Stefan Giehl <stefan@matomo.org> * SecurityPolicy objects now constructed with Config parameter * Updates expected UI test file Co-authored-by: Stefan Giehl <stefan@matomo.org>
author: Justin Velluppillai <justin@innocraft.com> 2021-08-12 15:35:13 +0300
committer: GitHub <noreply@github.com> 2021-08-12 15:35:13 +0300
commit: ca8e320ff9011d7146b7200c8c41bb0e39a4a846 (patch)
tree: 81859e42f3a0c91e32846d7f854017e4b6ceb39c /core/Plugin
parent: 9873cb71e66be0f80839c76e923c3b866dd23b46 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/core/Plugin/Controller.php b/core/Plugin/Controller.php
index 3188c0eafb..abec6f9316 100644
--- a/core/Plugin/Controller.php
+++ b/core/Plugin/Controller.php
@@ -111,6 +111,14 @@ abstract class Controller
     protected $site = null;
 
     /**
+     * The SecurityPolicy object.
+     *
+     * @var SecurityPolicy
+     * @api
+     */
+    protected $securityPolicy = null;
+
+    /**
      * Constructor.
      *
      * @api
@@ -125,6 +133,8 @@ abstract class Controller
         $aPluginName = explode('\\', get_class($this));
         $this->pluginName = $aPluginName[2];
 
+        $this->securityPolicy = StaticContainer::get(View\SecurityPolicy::class);
+
         $date = Common::getRequestVar('date', 'yesterday', 'string');
         try {
             $this->idSite = Common::getRequestVar('idSite', false, 'int');
author	Justin Velluppillai <justin@innocraft.com>	2021-08-12 15:35:13 +0300
committer	GitHub <noreply@github.com>	2021-08-12 15:35:13 +0300
commit	ca8e320ff9011d7146b7200c8c41bb0e39a4a846 (patch)
tree	81859e42f3a0c91e32846d7f854017e4b6ceb39c /core/Plugin
parent	9873cb71e66be0f80839c76e923c3b866dd23b46 (diff)