jonny/jonnybarnes.uk
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases 5 Packages Wiki Activity Actions

Remove un-needed elements from CSP header

Browse source
This commit is contained in:
Jonny Barnes 2021-10-05 20:58:28 +01:00
parent f7d71257ff
commit b464ba9dd3
1 changed files with 4 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
app/Http/Middleware/CSPHeader.php
View file

@ -18,19 +18,15 @@ class CSPHeader
{ {
// headers have to be single-line strings, // headers have to be single-line strings,
// so we concat multiple lines // so we concat multiple lines
// phpcs:disable // phpcs:disable Generic.Files.LineLength.TooLong
return $next($request) return $next($request)
->header( ->header(
'Content-Security-Policy', 'Content-Security-Policy',
"default-src 'self'; " . "default-src 'self'; " .
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://api.mapbox.com https://api.tiles.mapbox.com blob:; " . "style-src 'self' cloud.typography.com jonnybarnes.uk; " .
"style-src 'self' 'unsafe-inline' https://api.mapbox.com https://api.tiles.mapbox.com cloud.typography.com jonnybarnes.uk; " . "img-src 'self' data: blob: https://pbs.twimg.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://jbuk-media-dev.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com https://*.4sqi.net https://upload.wikimedia.org; " .
"img-src 'self' data: blob: https://pbs.twimg.com https://api.mapbox.com https://*.tiles.mapbox.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://jbuk-media-dev.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com https://*.4sqi.net https://upload.wikimedia.org; " .
"font-src 'self' data:; " . "font-src 'self' data:; " .
"connect-src 'self' https://api.mapbox.com https://*.tiles.mapbox.com https://events.mapbox.com data: blob:; " .
"worker-src 'self' blob:; " .
"frame-src 'self' https://www.youtube.com blob:; " . "frame-src 'self' https://www.youtube.com blob:; " .
'child-src blob:; ' .
'upgrade-insecure-requests; ' . 'upgrade-insecure-requests; ' .
'block-all-mixed-content; ' . 'block-all-mixed-content; ' .
'report-to csp-endpoint; ' . 'report-to csp-endpoint; ' .
@ -43,6 +39,6 @@ class CSPHeader
"'max-age': 10886400" . "'max-age': 10886400" .
'}' '}'
); );
// phpcs:enable // phpcs:enable Generic.Files.LineLength.TooLong
} }
} }