CSP: set nonce for iframes
This for now uses the jsNonce. That way we can easily backport it. For 17 I will fix it properly. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
f8988c257c
commit
4d8e1f6c67
1 changed files with 5 additions and 1 deletions
|
@ -468,7 +468,11 @@ class EmptyContentSecurityPolicy {
|
|||
}
|
||||
|
||||
if(!empty($this->allowedFrameDomains)) {
|
||||
$policy .= 'frame-src ' . implode(' ', $this->allowedFrameDomains);
|
||||
$policy .= 'frame-src ';
|
||||
if(is_string($this->useJsNonce)) {
|
||||
$policy .= '\'nonce-' . base64_encode($this->useJsNonce) . '\' ';
|
||||
}
|
||||
$policy .= implode(' ', $this->allowedFrameDomains);
|
||||
$policy .= ';';
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue