Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
White list CDN sources in CSP header
Fixes #21650
  • Loading branch information
vboctor committed Aug 27, 2016
1 parent df3d0bc commit 133c109
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 3 deletions.
12 changes: 9 additions & 3 deletions core/http_api.php
Expand Up @@ -220,9 +220,15 @@ function http_security_headers() {

# White list the CDN urls (if enabled)
if ( config_get_global( 'cdn_enabled' ) == ON ) {
$t_cdn_url = 'https://ajax.googleapis.com';
http_csp_add( 'style-src', $t_cdn_url );
http_csp_add( 'script-src', $t_cdn_url );
http_csp_add( 'style-src', 'ajax.googleapis.com' );
http_csp_add( 'style-src', 'maxcdn.bootstrapcdn.com' );
http_csp_add( 'style-src', 'fonts.googleapis.com' );

http_csp_add( 'font-src', 'fonts.gstatic.com' );
http_csp_add( 'font-src', 'maxcdn.bootstrapcdn.com' );

http_csp_add( 'script-src', 'ajax.googleapis.com' );
http_csp_add( 'script-src', 'maxcdn.bootstrapcdn.com' );
}

http_csp_emit_header();
Expand Down
11 changes: 11 additions & 0 deletions plugins/MantisGraph/MantisGraph.php
Expand Up @@ -57,12 +57,23 @@ function config() {
function hooks() {
$t_hooks = array(
'EVENT_LAYOUT_RESOURCES' => 'resources',
'EVENT_CORE_HEADERS' => 'csp_headers',
'EVENT_SUBMENU_SUMMARY' => 'summary_submenu',
'EVENT_MENU_FILTER' => 'graph_filter_menu'
);
return $t_hooks;
}

/**
* Add Content-Security-Policy directives that are needed to load scripts for CDN.
* @return void
*/
function csp_headers() {
if ( config_get_global( 'cdn_enabled' ) == ON ) {
http_csp_add( 'script-src', 'https://cdnjs.cloudflare.com/ajax/libs/Chart.js/' );

This comment has been minimized.

Copy link
@dregad

dregad Aug 29, 2016

Member

I think this is invalid per CSP specification (content source must be a hostname [1]) and likely the cause for #21653, don't have time to test ATM.

[1] https://content-security-policy.com/#source_list

}
}

/**
* generate graph filter menu
* @return array
Expand Down

0 comments on commit 133c109

Please sign in to comment.