Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Doc

Browse Source
This commit is contained in:
Laurent Destailleur
2023-01-23 11:28:37 +01:00
parent 1513c46c77
commit c067e52ec8
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/website.inc.php
View File

@@ -112,7 +112,7 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
// The constant WEBSITE_MAIN_SECURITY_FORCECSP should never be defined by page, but the variable used just after may be // The constant WEBSITE_MAIN_SECURITY_FORCECSP should never be defined by page, but the variable used just after may be
// A default security policy that keep usage of js external component like ckeditor, stripe, google, working // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
// $contentsecuritypolicy = "font-src *; img-src *; style-src * 'unsafe-inline' 'unsafe-eval'; default-src 'self' *.stripe.com 'unsafe-inline' 'unsafe-eval'; script-src 'self' *.stripe.com 'unsafe-inline' 'unsafe-eval'; frame-src 'self' *.stripe.com; connect-src 'self';"; // $contentsecuritypolicy = "font-src *; img-src *; style-src * 'unsafe-inline' 'unsafe-eval'; default-src 'self' *.stripe.com 'unsafe-inline' 'unsafe-eval'; script-src 'self' *.stripe.com 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'; frame-src 'self' *.stripe.com; connect-src 'self';";
$contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSP'); $contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSP');
if (!is_object($hookmanager)) { if (!is_object($hookmanager)) {

4
htdocs/main.inc.php
View File

@@ -1473,7 +1473,7 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
// If CSP not forced from the page // If CSP not forced from the page
// A default security policy that keep usage of js external component like ckeditor, stripe, google, working // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
// $contentsecuritypolicy = "font-src *; img-src *; style-src * 'unsafe-inline' 'unsafe-eval'; default-src 'self' *.stripe.com 'unsafe-inline' 'unsafe-eval'; script-src 'self' *.stripe.com 'unsafe-inline' 'unsafe-eval'; frame-src 'self' *.stripe.com; connect-src 'self';"; // $contentsecuritypolicy = "frame-ancestors 'self'; font-src *; img-src *; style-src * 'unsafe-inline' 'unsafe-eval'; default-src 'self' *.stripe.com 'unsafe-inline' 'unsafe-eval'; script-src 'self' *.stripe.com 'unsafe-inline' 'unsafe-eval'; frame-src 'self' *.stripe.com; connect-src 'self';";
$contentsecuritypolicy = getDolGlobalString('MAIN_SECURITY_FORCECSP'); $contentsecuritypolicy = getDolGlobalString('MAIN_SECURITY_FORCECSP');
if (!is_object($hookmanager)) { if (!is_object($hookmanager)) {
@@ -1492,7 +1492,7 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
if (!empty($contentsecuritypolicy)) { if (!empty($contentsecuritypolicy)) {
// For example, to restrict 'script', 'object', 'frames' or 'img' to some domains: // For example, to restrict 'script', 'object', 'frames' or 'img' to some domains:
// script-src https://api.google.com https://anotherhost.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: https://static.example.com // frame-ancestors 'self'; script-src https://api.google.com https://anotherhost.com; object-src https://youtube.com; frame-src https://youtube.com; img-src https://static.example.com
// For example, to restrict everything to one domain, except 'object', ...: // For example, to restrict everything to one domain, except 'object', ...:
// default-src https://cdn.example.net; object-src 'none' // default-src https://cdn.example.net; object-src 'none'
// For example, to restrict everything to itself except img that can be on other servers: // For example, to restrict everything to itself except img that can be on other servers: