From a9e01101dbf63a80157ead3608dd143595cdf47d Mon Sep 17 00:00:00 2001 From: Pablo Zmdl Date: Tue, 29 Oct 2024 17:39:59 +0100 Subject: [PATCH] Add additional CSP header values only if present If people write a lax default CSP they might set the additional config option to the blank string, or false. Then the CSP header should not contain that value. --- program/include/rcmail_output_html.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php index 6dc08225931..2bf661912fc 100644 --- a/program/include/rcmail_output_html.php +++ b/program/include/rcmail_output_html.php @@ -2731,7 +2731,9 @@ protected function add_csp_header(): void $csp_header = "Content-Security-Policy: {$csp}"; if (isset($this->env['safemode']) && $this->env['safemode'] === true) { $csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote'); - $csp_header .= "; {$csp_allow_remote}"; + if (!in_array($csp_allow_remote, ['', false, 'false', null])) { + $csp_header .= "; {$csp_allow_remote}"; + } } $this->header($csp_header); }