Merge branch 'csp_sso_hostname' into 'master'

csp: sso support See merge request !1

Merge branch 'csp_sso_hostname' into 'master'
csp: sso support See merge request !1
1d507bb9 · godog · d361ece9 · 5864f17f · 1d507bb9 · 1d507bb9
Commit 1d507bb9 authored Jun 16, 2019 by godog
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 3 deletions

plugins/csp/config.inc.php plugins/csp/config.inc.php +3 -0

plugins/csp/csp.php plugins/csp/csp.php +9 -3

No files found.
--- a/plugins/csp/config.inc.php
+++ b/plugins/csp/config.inc.php
@@ -4,3 +4,6 @@
 // Set it to the relative URL path of the Roundcube installation.
 $config['csp_script_path'] = '/';

+// If non-empty, the proto + hostname to allow SSO requests,
+// e.g. https://sso.domain.org
+$config['csp_sso_hostname'] = '';
--- a/plugins/csp/csp.php
+++ b/plugins/csp/csp.php
@@ -20,10 +20,16 @@ class csp extends rcube_plugin {
    $host = $_SERVER['HTTP_HOST'];
    $proto = rcube_utils::https_check() ? 'https' : 'http';
    $path = $rcmail->config->get('csp_script_path', '/');
+    $src_sso = "";
+    $sso_hostname = $rcmail->config->get('csp_sso_hostname', '');
+    if($sso_hostname != '') {
+      $src_sso .= "{$sso_hostname}";
+    }
    $csp_header = (
-        "default-src 'self'; " .
-        "script-src 'self' {$proto}://{$host}{$path} 'unsafe-inline' 'unsafe-eval'; " .
-        "style-src 'self' 'unsafe-inline'; object-src 'none'");
+        "default-src 'self' {$src_sso}; " .
+        "script-src 'self' {$proto}://{$host}{$path} 'unsafe-inline' 'unsafe-eval' {$src_sso}; " .
+        "style-src 'self' 'unsafe-inline' {$src_sso}; " .
+        "object-src 'none'");
    header("Content-Security-Policy: {$csp_header}");
    return $content;
  }