Add EVENT_CORE_HEADERS event

Called before core emits headers enabling plugins to emit their own headers or call APIs that shape the value of headers emitted by core like Content-Security-Policy. Fixes #21263
mantisbt · Aug 27, 2016 · c13b325 · c13b325
1 parent 9f35986
commit c13b325
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 5 deletions.
diff --git a/core.php b/core.php
@@ -274,6 +274,7 @@ function __autoload( $p_class ) {
 
 # Set HTTP response headers
 require_api( 'http_api.php' );
+event_signal( 'EVENT_CORE_HEADERS' );
 http_all_headers();
 
 # Push default language to speed calls to lang_get

diff --git a/core/events_inc.php b/core/events_inc.php
@@ -33,6 +33,7 @@
 
 	# Events specific to the core system
 	'EVENT_CORE_READY' => EVENT_TYPE_EXECUTE,
+	'EVENT_CORE_HEADERS' => EVENT_TYPE_EXECUTE,
 
 	# MantisBT Layout Events
 	'EVENT_LAYOUT_RESOURCES' => EVENT_TYPE_OUTPUT,

diff --git a/docbook/Developers_Guide/en-US/Events_Reference.xml b/docbook/Developers_Guide/en-US/Events_Reference.xml
@@ -83,6 +83,19 @@
 			</blockquote>
 		</blockquote>
 
+		<blockquote id="dev.eventref.system.coreheaders">
+			<title>EVENT_CORE_HEADERS (Execute)</title>
+
+			<blockquote>
+				<para>
+					This event is triggered by the MantisBT bootstrap process just before emitting the
+					headers.  This enables plugins to emit their own headers or use API that enables
+					tweaking values of headers emitted by core.  An example, of headers that can be
+					tweaked is Content-Security-Policy header which can be tweaked using http_csp_*() APIs.
+				</para>
+			</blockquote>
+		</blockquote>
+
 		<blockquote id="dev.eventref.system.coreready">
 			<title>EVENT_CORE_READY (Execute)</title>
 

diff --git a/plugins/Gravatar/Gravatar.php b/plugins/Gravatar/Gravatar.php
@@ -104,16 +104,21 @@ function config() {
 	 * Register event hooks for plugin.
 	 */
 	function hooks() {
-		if( config_get( 'show_avatar' ) !== OFF ) {
-			# Set CSP header
-			http_csp_add( 'img-src', self::getAvatarUrl() );
-		}
-
 		return array(
 			'EVENT_USER_AVATAR' => 'user_get_avatar',
+			'EVENT_CORE_HEADERS' => 'csp_headers',
 		);
 	}
 
+	/**
+	 * Register gravatar url as an img-src for CSP header
+	 */
+	function csp_headers() {
+		if( config_get( 'show_avatar' ) !== OFF ) {
+			http_csp_add( 'img-src', self::getAvatarUrl() );
+		}
+	}
+
 	/**
 	 * Return the user avatar image URL
 	 * in this first implementation, only gravatar.com avatars are supported