lunax/snipe_it
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity Actions

Default to turning CSP off until we can fix vue/CSP issues

Browse source
This commit is contained in:
snipe 2017-10-02 13:29:14 -07:00
parent 169dc779fd
commit aab635154a
3 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/Http/Middleware/ContentSecurityPolicyHeader.php
View file

@ -14,14 +14,14 @@ class ContentSecurityPolicyHeader
*/ */
public function handle($request, Closure $next) public function handle($request, Closure $next)
{ {
if ((config('app.debug')=='true') || (config('app.disable_csp')=='true')) { if ((config('app.debug')=='true') || (config('app.enable_csp')!='true')) {
$response = $next($request); $response = $next($request);
return $response; return $response;
} }
$policy[] = "default-src 'self'"; $policy[] = "default-src 'self'";
$policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com"; $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
$policy[] = "script-src 'self' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'"; $policy[] = "script-src 'self' 'unsafe-inline' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'";
$policy[] = "connect-src 'self'"; $policy[] = "connect-src 'self'";
$policy[] = "object-src 'none'"; $policy[] = "object-src 'none'";
$policy[] = "font-src 'self' data:"; $policy[] = "font-src 'self' data:";

2
config/app.php
View file

@ -183,7 +183,7 @@ return [
| |
*/ */
'disable_csp' => env('DISABLE_CSP', false), 'enable_csp' => env('ENABLE_CSP', false),

4
resources/views/layouts/default.blade.php
View file

@ -84,8 +84,8 @@
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js" integrity="sha384-ZoaMbDF+4LeFxg6WdScQ9nnR1QC2MIRxA1O9KWEXQwns1G8UNyIEZIQidzb0T1fo" crossorigin="anonymous"></script> <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js" integrity="sha384-ZoaMbDF+4LeFxg6WdScQ9nnR1QC2MIRxA1O9KWEXQwns1G8UNyIEZIQidzb0T1fo" crossorigin="anonymous"></script>
@else @else
<script src="{{ url(asset('js/html5shiv.js')) }}"></script> <script src="{{ url(asset('js/html5shiv.js')) }}" nonce="{{ csrf_token() }}"></script>
<script src="{{ url(asset('js/respond.js')) }}"></script> <script src="{{ url(asset('js/respond.js')) }}" nonce="{{ csrf_token() }}"></script>
@endif @endif
<![endif]--> <![endif]-->
</head> </head>