/**
* Set security headers (frame busting, clickjacking/XSS/CSRF protection).
* @return void
*/
function http_security_headers()
{
if (!headers_sent()) {
header('X-Frame-Options: DENY');
# Define Content Security Policy
http_csp_add('default-src', "'self'");
http_csp_add('frame-ancestors', "'none'");
http_csp_add('style-src', "'self'");
http_csp_add('script-src', "'self'");
http_csp_add('img-src', "'self'");
# White list the CDN urls (if enabled)
if (config_get_global('cdn_enabled') == ON) {
http_csp_add('style-src', 'ajax.googleapis.com');
http_csp_add('script-src', 'ajax.googleapis.com');
http_csp_add('img-src', 'ajax.googleapis.com');
}
# Relaxing policy for roadmap page to allow inline styles
# This is a workaround to fix the broken progress bars (see #19501)
if ('roadmap_page.php' == basename($_SERVER['SCRIPT_NAME'])) {
http_csp_add('style-src', "'unsafe-inline'");
}
# The JS Calendar control does unsafe eval, remove once we upgrade the control (see #20040)
if ('bug_update_page.php' == basename($_SERVER['SCRIPT_NAME'])) {
http_csp_add('script-src', "'unsafe-eval'");
}
http_csp_emit_header();
}
}
/**
* Register gravatar url as an img-src for CSP header
*/
function csp_headers()
{
if (config_get('show_avatar') !== OFF) {
http_csp_add('img-src', self::getAvatarUrl());
}
}