jrenslin/md-cms
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Improved settings of CSPs.

Browse Source 
Added manifest.json.
Added further security-related HTTP headers.
This commit is contained in:
Joshua Ramon Enslin
2018-06-18 13:57:35 +02:00
committed by Stefan Rohde-Enslin
parent 1acdc7ba2b
commit 067beedf29
12 changed files with 165 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
edit/inc/standardHTML.php
View File

@ -1,26 +1,37 @@
<?PHP
/**
* Functions for forming the HTML output.
*
* @file
*
* @author Joshua Ramon Enslin <joshua@jrenslin.de>
*/
/**
* Prints the head element of an HTML page
*
* @param string $page Name / ID of the current page.
* @param string $title Title of the page.
* @param string $icon The icon of the website.
* @param array $settings Settings variable.
* @param string $page Name / ID of the current page.
* @param string $title Title of the page.
* @param string $icon The icon of the website.
*
* @return string
*/
function printBackendHead(string $page = "home", string $title = "Home", string $icon = ""):string {
function printBackendHead(array $settings, string $page = "home", string $title = "Home", string $icon = ""):string {
$output = '<!DOCTYPE html>
<html lang="en" id="' . $page . '">
<head>
<!-- Content Security policies -->
<meta http-equiv="Content-Security-Policy" content="default-src \'none\'; script-src \'self\'; connect-src \'self\'; img-src \'self\' data: blob:; style-src \'self\' \'unsafe-inline\'; font-src \'self\';" />
<meta http-equiv="Content-Security-Policy" content="default-src \'none\'; script-src \'self\'; connect-src \'self\'; img-src \'self\' data: blob: ' . $settings['mdVersion'];
if ($settings['CSPimageSources']) $output .= " " . $settings['CSPimageSources']; // Allow embedding of whitelisted images.
$output .= '; style-src \'self\' \'unsafe-inline\'; frame-src \'self\'';
if ($settings['CSPobjectSources']) $output .= " " . $settings['CSPobjectSources']; // Allow embedding of whitelisted frame contents / objects.
$output .= '; object-src \'self\'';
if ($settings['CSPobjectSources']) $output .= " " . $settings['CSPobjectSources']; // Allow embedding of whitelisted frame contents / objects.
$output .= '; frame-ancestors \'self\';font-src \'self\';" />
<title>' . $title . '</title>
<link rel="stylesheet" type="text/css" href="themes/imports.css">
@ -29,7 +40,7 @@ function printBackendHead(string $page = "home", string $title = "Home", string
if ($icon) {
$output .= '
<link rel="shortcut icon" sizes="16x16 32x32" href="' . $icon . '" />
<link rel="shortcut icon" href="' . $icon . '" />
';
}