kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-09-29 18:20:01 +00:00
Code Issues Projects Releases Wiki Activity

Update header readability, add Google as an optional allowed source.

Browse Source
This commit is contained in:
James Cole
2018-08-25 10:36:27 +02:00
parent 88bab888d8
commit 2834aca597
1 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
app/Http/Middleware/SecureHeaders.php
View File

@@ -23,7 +23,6 @@ declare(strict_types=1);
namespace FireflyIII\Http\Middleware; namespace FireflyIII\Http\Middleware;
use Auth;
use Closure; use Closure;
use Illuminate\Http\Request; use Illuminate\Http\Request;
@@ -44,10 +43,25 @@ class SecureHeaders
*/ */
public function handle(Request $request, Closure $next) public function handle(Request $request, Closure $next)
{ {
$response = $next($request); $response = $next($request);
$google = '';
$analyticsId = env('ANALYTICS_ID', '');
if ('' !== $analyticsId) {
$google = 'https://www.google-analytics.com/analytics.js';
}
$csp = [
"default-src 'none'",
sprintf("script-src 'self' 'unsafe-eval' 'unsafe-inline' %s", $google),
"style-src 'self' 'unsafe-inline'",
"base-uri 'self'",
"form-action 'self'",
"font-src 'self'",
"connect-src 'self'",
"img-src 'self'",
];
$response->header('X-Frame-Options', 'deny'); $response->header('X-Frame-Options', 'deny');
$response->header('Content-Security-Policy', "default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com/analytics.js; style-src 'self' 'unsafe-inline';base-uri 'self';form-action 'self';font-src 'self';connect-src 'self';img-src 'self'"); $response->header('Content-Security-Policy', implode('; ', $csp));
return $response; return $response;
} }