1 files changed, 36 insertions, 0 deletions

diff --git a/lib/Minz/ActionController.php b/lib/Minz/ActionController.php
index 123b9054c..f60b5411d 100644
--- a/lib/Minz/ActionController.php
+++ b/lib/Minz/ActionController.php
@@ -9,6 +9,9 @@
  */
 class Minz_ActionController {
 	protected $view;
+	private $csp_policies = array(
+		'default-src' => "'self'",
+	);
 
 	/**
 	 * Constructeur
@@ -28,6 +31,39 @@ class Minz_ActionController {
 	}
 
 	/**
+	 * Set CSP policies.
+	 *
+	 * A default-src directive should always be given.
+	 *
+	 * References:
+	 * - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+	 * - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
+	 *
+	 * @param array $policies An array where keys are directives and values are sources.
+	 */
+	protected function _csp($policies) {
+		if (!isset($policies['default-src'])) {
+			$action = Minz_Request::controllerName() . '#' . Minz_Request::actionName();
+			Minz_Log::warning(
+				"Default CSP policy is not declared for action {$action}.",
+				ADMIN_LOG
+			);
+		}
+		$this->csp_policies = $policies;
+	}
+
+	/**
+	 * Send HTTP Content-Security-Policy header based on declared policies.
+	 */
+	public function declareCspHeader() {
+		$policies = [];
+		foreach ($this->csp_policies as $directive => $sources) {
+			$policies[] = $directive . ' ' . $sources;
+		}
+		header('Content-Security-Policy: ' . implode('; ', $policies));
+	}
+
+	/**
 	 * Méthodes à redéfinir (ou non) par héritage
 	 * firstAction est la première méthode exécutée par le Dispatcher
 	 * lastAction est la dernière