From a16619b78ecf634b1582bf0e8239eece18fcca96 Mon Sep 17 00:00:00 2001
From: Joshua Ramon Enslin <joshua@museum-digital.de>
Date: Sun, 22 Nov 2020 23:27:54 +0100
Subject: [PATCH] Add option to set frame-ancestors CSP

---
 MD_STD_SEC.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/MD_STD_SEC.php b/MD_STD_SEC.php
index db2ae77..1ad51c9 100644
--- a/MD_STD_SEC.php
+++ b/MD_STD_SEC.php
@@ -126,13 +126,20 @@ final class MD_STD_SEC {
     /**
      * Send CSP headers.
      *
-     * @param array{default-src: string, connect-src: string, script-src: string, img-src: string, media-src: string, style-src: string, frame-src: string, object-src: string, base-uri: string, form-action: string} $directives Directives to send. Font source is always set to 'self', and hence excluded.
+     * @param array{default-src: string, connect-src: string, script-src: string, img-src: string, media-src: string, style-src: string, frame-src: string, object-src: string, base-uri: string, form-action: string, frame-ancestors?: string} $directives      Directives to send. Font source is always set to 'self', and hence excluded.
+     * @param string                                                                                                                                                                                                                             $frame_ancestors Frame ancestors directive. Default is to not set it.
      *
      * @return void
      */
-    public static function sendContentSecurityPolicy(array $directives):void {
+    public static function sendContentSecurityPolicy(array $directives, string $frame_ancestors = ""):void {
 
-        header('Content-Security-Policy: default-src ' . $directives['default-src'] . '; connect-src ' . $directives['connect-src'] . '; script-src ' . $directives['script-src'] . '; img-src ' . $directives['img-src'] . '; media-src ' . $directives['media-src'] . '; style-src ' . $directives['style-src'] . '; font-src \'self\'; frame-src ' . $directives['frame-src'] . '; object-src ' . $directives['object-src'] . '; base-uri ' . $directives['base-uri'] . '; form-action ' . $directives['form-action'] . '; manifest-src \'self\'');
+        $policy = 'Content-Security-Policy: default-src ' . $directives['default-src'] . '; connect-src ' . $directives['connect-src'] . '; script-src ' . $directives['script-src'] . '; img-src ' . $directives['img-src'] . '; media-src ' . $directives['media-src'] . '; style-src ' . $directives['style-src'] . '; font-src \'self\'; frame-src ' . $directives['frame-src'] . '; object-src ' . $directives['object-src'] . '; base-uri ' . $directives['base-uri'] . '; form-action ' . $directives['form-action'] . '; manifest-src \'self\';';
+
+        if (!empty($frame_ancestors)) {
+            $policy .= ' frame-ancestors ' . $frame_ancestors . ';';
+        }
+
+        header($policy);
 
     }
 }