feat(#1869): Allow script-src and connect-src configuration

LycheeOrg · Jun 6, 2023 · b11b5eb · b11b5eb
1 parent 1a0b831
commit b11b5eb
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/.env.example b/.env.example
@@ -74,6 +74,8 @@ SESSION_LIFETIME=120
 QUEUE_CONNECTION=sync
 
 SECURITY_HEADER_HSTS_ENABLE=false
+SECURITY_HEADER_CSP_CONNECT_SRC=
+SECURITY_HEADER_SCRIPT_SRC_ALLOW=
 SESSION_SECURE_COOKIE=false
 
 REDIS_HOST=127.0.0.1

diff --git a/config/secure-headers.php b/config/secure-headers.php
@@ -345,9 +345,10 @@
 		],
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
-		'connect-src' => [
-			'https://lycheeorg.github.io/update.json',
-		],
+		'connect-src' => array_merge(
+			['https://lycheeorg.github.io/update.json'],
+			explode(",", env('SECURITY_HEADER_CSP_CONNECT_SRC', ''))
+		),
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
 		'default-src' => [
@@ -467,10 +468,10 @@
 			// https://www.chromestatus.com/feature/5792234276388864
 			'report-sample' => true,
 
-			'allow' => [
-				'https://www.dropbox.com/static/api/1/dropins.js',
-				// 'url',
-			],
+			'allow' => array_merge(
+				['https://www.dropbox.com/static/api/1/dropins.js'],
+				explode(",", env('SECURITY_HEADER_SCRIPT_SRC_ALLOW', ''))
+			),
 
 			'schemes' => [
 				// 'data:',