Merge branch 'csp_sso_hostname' into 'master'

csp: sso support

See merge request !1

plugins/csp/config.inc.php

@@ -4,3 +4,6 @@
 // Set it to the relative URL path of the Roundcube installation.
 $config['csp_script_path'] = '/';
 
+// If non-empty, the proto + hostname to allow SSO requests,
+// e.g. https://sso.domain.org
+$config['csp_sso_hostname'] = '';

plugins/csp/csp.php

@@ -20,10 +20,16 @@ class csp extends rcube_plugin {
     $host = $_SERVER['HTTP_HOST'];
     $proto = rcube_utils::https_check() ? 'https' : 'http';
     $path = $rcmail->config->get('csp_script_path', '/');
+    $src_sso = "";
+    $sso_hostname = $rcmail->config->get('csp_sso_hostname', '');
+    if($sso_hostname != '') {
+      $src_sso .= "{$sso_hostname}";
+    }
     $csp_header = (
-        "default-src 'self'; " .
-        "script-src 'self' {$proto}://{$host}{$path} 'unsafe-inline' 'unsafe-eval'; " .
-        "style-src 'self' 'unsafe-inline'; object-src 'none'");
+        "default-src 'self' {$src_sso}; " .
+        "script-src 'self' {$proto}://{$host}{$path} 'unsafe-inline' 'unsafe-eval' {$src_sso}; " .
+        "style-src 'self' 'unsafe-inline' {$src_sso}; " .
+        "object-src 'none'");
     header("Content-Security-Policy: {$csp_header}");
     return $content;
   }