PrivateCoffee/alltube
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix(csp): refine img-src policy to improve security

Browse source 
Switched 'img-src' directive to only allow 'self', and removed the wildcard '*' and 'data:' source settings. This adjustment enhances security by restricting image sources to the same origin, preventing potential exploitation from arbitrary or data URLs.
This commit is contained in:
Kumi 2024-07-21 11:44:19 +02:00
parent c9fadaae20
commit 98a7e42c15
Signed by: kumi
GPG key ID: ECBCC9082395383F
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
classes/Middleware/CspMiddleware.php
View file

@ -41,6 +41,7 @@ class CspMiddleware
->addDirective('font-src', ['self' => true]) ->addDirective('font-src', ['self' => true])
->addDirective('style-src', ['self' => true]) ->addDirective('style-src', ['self' => true])
->addDirective('manifest-src', ['self' => true]) ->addDirective('manifest-src', ['self' => true])
->addDirective('img-src', ['self' => true])
->addDirective('base-uri', []) ->addDirective('base-uri', [])
->addDirective('frame-ancestors', []) ->addDirective('frame-ancestors', [])
->addSource('form-action', '*') ->addSource('form-action', '*')