upstream/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2026-06-08 16:12:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Allow for the usage of {style_nonce} in the custom CSP-Header setting

Browse source
This commit is contained in:
Alexander Rieß 2026-03-12 13:18:24 +01:00
parent 4586f2fc9e
commit f692db5387
1 changed files with 15 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
library/Icinga/Util/Csp.php
View file

@ -157,12 +157,26 @@ class Csp
{
$config = Config::app();
if ($config->get('security', 'use_custom_csp', 'y') === 'y') {
return $config->get('security', 'custom_csp', '');
return self::getCustomContentSecurityPolicy();
}
return self::getAutomaticContentSecurityPolicy();
}
public static function getCustomContentSecurityPolicy(): ?string
{
$csp = static::getInstance();
if (empty($csp->styleNonce)) {
throw new RuntimeException('No nonce set for CSS');
}
$config = Config::app();
$raw = $config->get('security', 'custom_csp');
$formated = str_replace('{style_nonce}', "'nonce{$csp->styleNonce}'", $raw);
return $formated;
}
/**
* Get the automatically generated Content-Security-Policy.
*