Skip to content

Commit

Permalink
Add additional CSP header values only if present
Browse files Browse the repository at this point in the history
If people write a lax default CSP they might set the additional config
option to the blank string, or false. Then the CSP header should not
contain that value.
  • Loading branch information
pabzm committed Oct 29, 2024
1 parent fa9aec7 commit 304ae70
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion program/include/rcmail_output_html.php
Original file line number Diff line number Diff line change
Expand Up @@ -2731,7 +2731,9 @@ protected function add_csp_header(): void
$csp_header = "Content-Security-Policy: {$csp}";
if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
$csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote');
$csp_header .= "; {$csp_allow_remote}";
if (!in_array($csp_allow_remote, ['', false, 'false', null])) {
$csp_header .= "; {$csp_allow_remote}";
}
}
$this->header($csp_header);
}
Expand Down

0 comments on commit 304ae70

Please sign in to comment.