Improved settings of CSPs.

Added manifest.json.
Added further security-related HTTP headers.

inc/standardHTML.php

@@ -25,11 +25,18 @@ function printPublicHead(array $settings, string $page = "home", string $title =
 <head>
 
     <!-- Content Security policies -->
-    <meta http-equiv="Content-Security-Policy" content="default-src \'none\'; script-src \'self\'; connect-src \'self\' ' . $settings['mdVersion'] . '; img-src \'self\' ' . $settings['mdVersion'] . '; style-src \'self\' \'unsafe-inline\'; font-src \'self\';" />
+    <meta http-equiv="Content-Security-Policy" content="default-src \'none\'; script-src \'self\'; connect-src \'self\' ' . $settings['mdVersion'] . '; img-src \'self\' ' . $settings['mdVersion'];
+    if ($settings['CSPimageSources']) $output .= " " . $settings['CSPimageSources']; // Allow embedding of whitelisted images.
+    $output .= '; style-src \'self\' \'unsafe-inline\'; font-src \'self\'; frame-src \'self\'';
+    if ($settings['CSPobjectSources']) $output .= " " . $settings['CSPobjectSources']; // Allow embedding of whitelisted frame contents / objects.
+    $output .= '; object-src \'self\'';
+    if ($settings['CSPobjectSources']) $output .= " " . $settings['CSPobjectSources']; // Allow embedding of whitelisted frame contents / objects.
+    $output .= '; frame-ancestors \'self\'; base-uri \'none\'; form-action \'self\';" />
 
 	<title>' . $title . '</title>
-    <link rel="stylesheet" type="text/css" href="themes/' . $settings['css'] . '/theme.css" />
     <link rel="stylesheet" type="text/css" href="themes/imports.css" />
+    <link rel="stylesheet" type="text/css" href="themes/' . $settings['css'] . '/theme.css" />
+    <link rel="manifest" href="./manifest.php">
     <meta http-equiv="content-type" content="text/html;charset=utf-8" />';
 
     $output .= $additional;