From aab635154af9615b160747f6a14391fd603843e4 Mon Sep 17 00:00:00 2001 From: snipe Date: Mon, 2 Oct 2017 13:29:14 -0700 Subject: [PATCH] Default to turning CSP off until we can fix vue/CSP issues --- app/Http/Middleware/ContentSecurityPolicyHeader.php | 4 ++-- config/app.php | 2 +- resources/views/layouts/default.blade.php | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/app/Http/Middleware/ContentSecurityPolicyHeader.php b/app/Http/Middleware/ContentSecurityPolicyHeader.php index dd0d39cf3..05eb73ed9 100644 --- a/app/Http/Middleware/ContentSecurityPolicyHeader.php +++ b/app/Http/Middleware/ContentSecurityPolicyHeader.php @@ -14,14 +14,14 @@ class ContentSecurityPolicyHeader */ public function handle($request, Closure $next) { - if ((config('app.debug')=='true') || (config('app.disable_csp')=='true')) { + if ((config('app.debug')=='true') || (config('app.enable_csp')!='true')) { $response = $next($request); return $response; } $policy[] = "default-src 'self'"; $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com"; - $policy[] = "script-src 'self' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'"; + $policy[] = "script-src 'self' 'unsafe-inline' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'"; $policy[] = "connect-src 'self'"; $policy[] = "object-src 'none'"; $policy[] = "font-src 'self' data:"; diff --git a/config/app.php b/config/app.php index e2dc3682b..43f851abd 100755 --- a/config/app.php +++ b/config/app.php @@ -183,7 +183,7 @@ return [ | */ - 'disable_csp' => env('DISABLE_CSP', false), + 'enable_csp' => env('ENABLE_CSP', false), diff --git a/resources/views/layouts/default.blade.php b/resources/views/layouts/default.blade.php index 808f18de4..ab87ce569 100644 --- a/resources/views/layouts/default.blade.php +++ b/resources/views/layouts/default.blade.php @@ -84,8 +84,8 @@ @else - - + + @endif