diff --git a/app/Http/Middleware/SecurityHeaders.php b/app/Http/Middleware/SecurityHeaders.php index 25f0461fcf..8e6c17b4e7 100644 --- a/app/Http/Middleware/SecurityHeaders.php +++ b/app/Http/Middleware/SecurityHeaders.php @@ -88,13 +88,13 @@ class SecurityHeaders $csp_policy[] = "connect-src 'self'"; $csp_policy[] = "object-src 'none'"; $csp_policy[] = "font-src 'self' data:"; - $csp_policy[] = "img-src 'self' data: ".config('app.url').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com'; + $csp_policy[] = "img-src 'self' data: ".config('app.url').' '.config('app.additional_csp_urls').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com'; if (config('filesystems.disks.public.driver') == 's3') { $csp_policy[] = "img-src 'self' data: ".config('filesystems.disks.public.url'); } $csp_policy = join(';', $csp_policy); - + $response->headers->set('Content-Security-Policy', $csp_policy); } diff --git a/config/app.php b/config/app.php index eb288f5feb..2c25cd645b 100755 --- a/config/app.php +++ b/config/app.php @@ -201,6 +201,9 @@ return [ 'enable_csp' => env('ENABLE_CSP', true), + 'additional_csp_urls' => env('ADDITIONAL_CSP_URLS', ''), + + /* |--------------------------------------------------------------------------