From ca1555d9620e58dd6aa13838eb0385f149d64602 Mon Sep 17 00:00:00 2001 From: snipe Date: Thu, 16 May 2024 22:19:18 +0100 Subject: [PATCH] Fixed #14664 - allow additional urls in env for CSP Signed-off-by: snipe --- app/Http/Middleware/SecurityHeaders.php | 4 ++-- config/app.php | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/app/Http/Middleware/SecurityHeaders.php b/app/Http/Middleware/SecurityHeaders.php index 25f0461fcf..8e6c17b4e7 100644 --- a/app/Http/Middleware/SecurityHeaders.php +++ b/app/Http/Middleware/SecurityHeaders.php @@ -88,13 +88,13 @@ class SecurityHeaders $csp_policy[] = "connect-src 'self'"; $csp_policy[] = "object-src 'none'"; $csp_policy[] = "font-src 'self' data:"; - $csp_policy[] = "img-src 'self' data: ".config('app.url').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com'; + $csp_policy[] = "img-src 'self' data: ".config('app.url').' '.config('app.additional_csp_urls').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com'; if (config('filesystems.disks.public.driver') == 's3') { $csp_policy[] = "img-src 'self' data: ".config('filesystems.disks.public.url'); } $csp_policy = join(';', $csp_policy); - + $response->headers->set('Content-Security-Policy', $csp_policy); } diff --git a/config/app.php b/config/app.php index eb288f5feb..2c25cd645b 100755 --- a/config/app.php +++ b/config/app.php @@ -201,6 +201,9 @@ return [ 'enable_csp' => env('ENABLE_CSP', true), + 'additional_csp_urls' => env('ADDITIONAL_CSP_URLS', ''), + + /* |--------------------------------------------------------------------------