<?php

namespace App\Http\Middleware;

use Closure;

class CSPHeader
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        // headers have to be single-line strings,
        // so we concat multiple lines
        return $next($request)
            ->header(
                'Content-Security-Policy',
                "default-src 'self'; " .
                "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://api.mapbox.com https://analytics.jmb.lv blob:; " .
                "style-src 'self' 'unsafe-inline' https://api.mapbox.com https://fonts.googleapis.com use.typekit.net p.typekit.net; " .
                "img-src 'self' data: blob: https://pbs.twimg.com https://api.mapbox.com https://*.tiles.mapbox.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com analytics.jmb.lv https://*.4sqi.net https://upload.wikimedia.org p.typekit.net; " .
                "font-src 'self' https://fonts.gstatic.com use.typekit.net fonts.typekit.net; " .
                "connect-src 'self' https://api.mapbox.com https://*.tiles.mapbox.com performance.typekit.net data: blob:; " .
                "worker-src 'self' blob:; " .
                "frame-src 'self' https://www.youtube.com blob:; " .
                "child-src 'self' blob:; " .
                'upgrade-insecure-requests; ' .
                'block-all-mixed-content; ' .
                'report-to csp-endpoint; ' .
                'report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;'
            )
            ->header(
                'Report-To',
                '{' .
                    "'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " .
                    "'group': 'csp-endpoint'," .
                    "'max-age': 10886400" .
                '}'
            );
    }
}