diff options
Diffstat (limited to 'lib/public/appframework')
| -rw-r--r-- | lib/public/appframework/http/contentsecuritypolicy.php | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/lib/public/appframework/http/contentsecuritypolicy.php b/lib/public/appframework/http/contentsecuritypolicy.php index cb9a241d8af..6778d1035be 100644 --- a/lib/public/appframework/http/contentsecuritypolicy.php +++ b/lib/public/appframework/http/contentsecuritypolicy.php @@ -65,6 +65,8 @@ class ContentSecurityPolicy { private $allowedFontDomains = [ '\'self\'', ]; + /** @var array Domains from which web-workers and nested browsing content can load elements */ + private $allowedChildSrcDomains = []; /** * Whether inline JavaScript snippets are allowed or forbidden @@ -181,6 +183,16 @@ class ContentSecurityPolicy { } /** + * Domains from which web-workers and nested browsing content can load elements + * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized. + * @return $this + */ + public function addAllowedChildSrcDomain($domain) { + $this->allowedChildSrcDomains[] = $domain; + return $this; + } + + /** * Get the generated Content-Security-Policy as a string * @return string */ @@ -236,6 +248,11 @@ class ContentSecurityPolicy { $policy .= ';'; } + if(!empty($this->allowedChildSrcDomains)) { + $policy .= 'child-src ' . implode(' ', $this->allowedChildSrcDomains); + $policy .= ';'; + } + return rtrim($policy, ';'); } } |