Allow customizing CSP

diff --git a/adminer/include/adminer.inc.php b/adminer/include/adminer.inc.php
index c25a8e0a4ef87b78a131908b74262caeff3fe76e..20637cc0aa06f045c16f5f766b4b3cda3f4bf31b 100644 (file)
--- a/adminer/include/adminer.inc.php
+++ b/adminer/include/adminer.inc.php
@@ -70,6 +70,13 @@ class Adminer {
        function headers() {
        }
 
+       /** Get Content Security Policy headers
+       * @return array directive name in key, allowed sources in value
+       */
+       function csp() {
+               return csp();
+       }
+
        /** Print HTML code inside <head>
        * @return bool true to link adminer.css if exists
        */

diff --git a/adminer/include/design.inc.php b/adminer/include/design.inc.php
index 3ec434670d997885c7da19efc6b6a0a6864f3a24..a90f103c796bfe828559334ee046379a81b56f67 100644 (file)
--- a/adminer/include/design.inc.php
+++ b/adminer/include/design.inc.php
@@ -91,10 +91,29 @@ function page_headers() {
        header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
        header("X-Content-Type-Options: nosniff");
        header("Referrer-Policy: origin-when-cross-origin");
-       header("Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; frame-src https://www.adminer.org; form-action 'self'");
+       $csp = array();
+       foreach ($adminer->csp() as $key => $val) {
+               $csp[] = "$key $val";
+       }
+       header("Content-Security-Policy: " . implode("; ", $csp));
        $adminer->headers();
 }
 
+/** Get Content Security Policy headers
+* @return array directive name in key, allowed sources in value
+*/
+function csp() {
+       return array(
+               "default-src" => "'none'",
+               "script-src" => "'self' 'unsafe-inline'",
+               "style-src" => "'self' 'unsafe-inline'",
+               "connect-src" => "'self'",
+               "img-src" => "'self' data:",
+               "frame-src" => "https://www.adminer.org",
+               "form-action" => "'self'",
+       );
+}
+
 /** Print flash and error messages
 * @param string
 * @return null

diff --git a/editor/include/adminer.inc.php b/editor/include/adminer.inc.php
index 4c55d937c57798bc8633307ba544833ab3774d69..8f6275ae4d27f9e03635a3a04c46b07e3052d202 100644 (file)
--- a/editor/include/adminer.inc.php
+++ b/editor/include/adminer.inc.php
@@ -47,6 +47,10 @@ class Adminer {
        function headers() {
        }
 
+       function csp() {
+               return csp();
+       }
+
        function head() {
                return true;
        }

diff --git a/plugins/plugin.php b/plugins/plugin.php
index c2c6aa0dc1bc7c0799a68cc6b9458c66f238ce5c..20a80c2ad5a447e16ab62013fc272024971a2249 100644 (file)
--- a/plugins/plugin.php
+++ b/plugins/plugin.php
@@ -127,6 +127,11 @@ class AdminerPlugin extends Adminer {
                return $this->_applyPlugin(__FUNCTION__, $args);
        }
 
+       function csp() {
+               $args = func_get_args();
+               return $this->_applyPlugin(__FUNCTION__, $args);
+       }
+
        function head() {
                $args = func_get_args();
                return $this->_applyPlugin(__FUNCTION__, $args);