From 7da0e70a7221a42fb8ff6534fc339b18f8e2daa1 Mon Sep 17 00:00:00 2001 From: Alexis Degrugillier Date: Sat, 30 Mar 2024 13:09:44 -0400 Subject: Add a way to modify CSP rules within an extension (#6246) This will allow to change CSP rules to authorize the use of external scripts. We might need to add some safeguard since it will be virtually possible to load any script even malicious one. --- lib/Minz/ActionController.php | 3 +++ lib/Minz/Extension.php | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) (limited to 'lib') diff --git a/lib/Minz/ActionController.php b/lib/Minz/ActionController.php index 809a52337..12f14b0f4 100644 --- a/lib/Minz/ActionController.php +++ b/lib/Minz/ActionController.php @@ -99,6 +99,9 @@ abstract class Minz_ActionController { */ public function declareCspHeader(): void { $policies = []; + foreach (Minz_ExtensionManager::listExtensions(true) as $extension) { + $extension->amendCsp($this->csp_policies); + } foreach ($this->csp_policies as $directive => $sources) { $policies[] = $directive . ' ' . $sources; } diff --git a/lib/Minz/Extension.php b/lib/Minz/Extension.php index 206892bf9..15fae77a6 100644 --- a/lib/Minz/Extension.php +++ b/lib/Minz/Extension.php @@ -26,6 +26,9 @@ abstract class Minz_Extension { private bool $is_enabled; + /** @var string[] */ + protected array $csp_policies = []; + /** * The constructor to assign specific information to the extension. * @@ -390,4 +393,17 @@ abstract class Minz_Extension { unlink($path); } } + + /** + * @param string[] $policies + */ + public function amendCsp(array &$policies): void { + foreach ($this->csp_policies as $policy => $source) { + if (array_key_exists($policy, $policies)) { + $policies[$policy] .= ' ' . $source; + } else { + $policies[$policy] = $source; + } + } + } } -- cgit v1.2.3