Hi,
splitbrain opened a new pull request at
https://github.com/splitbrain/dokuwiki/pull/3310:
This adds a CSP header for all media delivered through our fetch.php
dispatcher. This should revent any scripts etc. to be executed when
scriptable media, like SVG is used.
Suggestions on finetuning the policy are welcome.
The policy is added to the MEDIA_SENDFILE event, so plugins can easily
influence it. The way it is passed as an array should make it easier to
modify from plugins as well.
I put the mechanism to send the header into it's own class in the HTTP
namespace. Additional methods from inc/httputils could be moved here
later. The method might also be interesting for #2198 and #1676.
Please help us to review this pull request, so new contributors get feedback in
a timely manner.
6d921f80-0e1f-11eb-95be-462ca6b5795a
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
