From 5864f17f68632c41af40017d4f95be78918176f6 Mon Sep 17 00:00:00 2001
From: godog <godog@autistici.org>
Date: Sun, 16 Jun 2019 00:28:58 +0200
Subject: [PATCH] csp: sso support

---
 plugins/csp/config.inc.php |  3 +++
 plugins/csp/csp.php        | 12 +++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/plugins/csp/config.inc.php b/plugins/csp/config.inc.php
index c12bb45..1f2461a 100644
--- a/plugins/csp/config.inc.php
+++ b/plugins/csp/config.inc.php
@@ -4,3 +4,6 @@
 // Set it to the relative URL path of the Roundcube installation.
 $config['csp_script_path'] = '/';
 
+// If non-empty, the proto + hostname to allow SSO requests,
+// e.g. https://sso.domain.org
+$config['csp_sso_hostname'] = '';
diff --git a/plugins/csp/csp.php b/plugins/csp/csp.php
index 3bcd900..e613dc6 100644
--- a/plugins/csp/csp.php
+++ b/plugins/csp/csp.php
@@ -20,10 +20,16 @@ class csp extends rcube_plugin {
     $host = $_SERVER['HTTP_HOST'];
     $proto = rcube_utils::https_check() ? 'https' : 'http';
     $path = $rcmail->config->get('csp_script_path', '/');
+    $src_sso = "";
+    $sso_hostname = $rcmail->config->get('csp_sso_hostname', '');
+    if($sso_hostname != '') {
+      $src_sso .= "{$sso_hostname}";
+    }
     $csp_header = (
-        "default-src 'self'; " .
-        "script-src 'self' {$proto}://{$host}{$path} 'unsafe-inline' 'unsafe-eval'; " .
-        "style-src 'self' 'unsafe-inline'; object-src 'none'");
+        "default-src 'self' {$src_sso}; " .
+        "script-src 'self' {$proto}://{$host}{$path} 'unsafe-inline' 'unsafe-eval' {$src_sso}; " .
+        "style-src 'self' 'unsafe-inline' {$src_sso}; " .
+        "object-src 'none'");
     header("Content-Security-Policy: {$csp_header}");
     return $content;
   }
-- 
GitLab