config = $container->get('config'); } /** * @param Response $response * @return MessageInterface */ public function applyHeader(Response $response): MessageInterface { $csp = new CSPBuilder(); $csp->disableOldBrowserSupport() ->addDirective('default-src', []) ->addDirective('font-src', ['self' => true]) ->addDirective('style-src', ['self' => true]) ->addDirective('manifest-src', ['self' => true]) ->addDirective('img-src', ['self' => true]) ->addDirective('base-uri', []) ->addDirective('frame-ancestors', []) ->addSource('form-action', '*') ->addSource('img-src', '*') ->addSource('img-src', 'data:'); if ($this->config->debug) { // So maximebf/debugbar, symfony/debug and symfony/error-handler can work. $csp->setDirective('script-src', ['self' => true, 'unsafe-inline' => true]) ->setDirective('style-src', ['self' => true, 'unsafe-inline' => true]); } return $csp->injectCSPHeader($response); } /** * @param Request $request * @param Response $response * @param callable $next * @return mixed */ public function __invoke(Request $request, Response $response, callable $next) { $response = $this->applyHeader($response); return $next($request, $response); } }