museum-digital/MD_STD
35
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Compare commits

base: museum-digital:9507387c8a69c88a1aa684fb6d87026671885ded
Branches Tags
museum-digital:master
..
compare: museum-digital:6a7b8bd8fdef418f11b2fe8f164a5ea9643eb091
Branches Tags
museum-digital:master

2 Commits
9507387c8a ... 6a7b8bd8fd

Author SHA1 Message Date
Joshua Ramon Enslin
6a7b8bd8fd Disable setting language cookie for curl or clients without user agents 2022-03-26 16:49:10 +01:00
Joshua Ramon Enslin
8d7b270f6f Allow setting worker-src in MD_STD_SEC 2022-03-24 23:25:05 +01:00
2 changed files with 7 additions and 1 deletions
Expand all files Collapse all files

6
src/MD_STD.php
View File

@ -428,6 +428,12 @@ final class MD_STD {
} }
else { else {
$lang = self::lang_getfrombrowser($allowed_langs, $default_lang, "", false); $lang = self::lang_getfrombrowser($allowed_langs, $default_lang, "", false);
// If the user is a bot or has no user agent at all or one of curl's,
// setting a cookie usually makes little sense.
// On the other hand, setting the cookie prevents effective caching.
if (empty($_SERVER['HTTP_USER_AGENT']) || substr($_SERVER['HTTP_USER_AGENT'], 0, 5) === 'curl/') return $lang;
if (!setcookie('__Host-lang', $lang, $cookie_options)) { if (!setcookie('__Host-lang', $lang, $cookie_options)) {
throw new Exception("Failed to set language"); throw new Exception("Failed to set language");
} }

2
src/MD_STD_SEC.php
View File

@ -141,7 +141,7 @@ final class MD_STD_SEC {
*/ */
public static function sendContentSecurityPolicy(array $directives, string $frame_ancestors = ""):void { public static function sendContentSecurityPolicy(array $directives, string $frame_ancestors = ""):void {
$policy = 'Content-Security-Policy: default-src ' . $directives['default-src'] . '; connect-src ' . $directives['connect-src'] . '; script-src ' . $directives['script-src'] . '; img-src ' . $directives['img-src'] . '; media-src ' . $directives['media-src'] . '; style-src ' . $directives['style-src'] . '; font-src \'self\'; frame-src ' . $directives['frame-src'] . '; object-src ' . $directives['object-src'] . '; base-uri ' . $directives['base-uri'] . '; form-action ' . $directives['form-action'] . '; manifest-src \'self\'; worker-src \'self\';'; $policy = 'Content-Security-Policy: default-src ' . $directives['default-src'] . '; connect-src ' . $directives['connect-src'] . '; script-src ' . $directives['script-src'] . '; img-src ' . $directives['img-src'] . '; media-src ' . $directives['media-src'] . '; style-src ' . $directives['style-src'] . '; font-src \'self\'; frame-src ' . $directives['frame-src'] . '; object-src ' . $directives['object-src'] . '; base-uri ' . $directives['base-uri'] . '; form-action ' . $directives['form-action'] . '; manifest-src \'self\'; worker-src ' . ($directives['worker-src'] ?? '\'self\'') . ';';
if (!empty($frame_ancestors)) { if (!empty($frame_ancestors)) {
$policy .= ' frame-ancestors ' . $frame_ancestors . ';'; $policy .= ' frame-ancestors ' . $frame_ancestors . ';';