Finish portal CSP (#1138)

2017-01-19 22:04:33 +00:00 · 2017-01-19 22:04:33 +00:00 · 2dd22811a0
commit 2dd22811a0
parent 942be4148b
1 changed files with 3 additions and 4 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@ -634,14 +634,13 @@ sub _dump {

 sub sendHtml {
    my ( $self, $req, $template, %args ) = @_;
-    my $csp = $self->csp;
+    my $csp = $self->csp . "form-action 'self'";
    push @{ $req->respHeaders },
      'X-XSS-Protection'       => '1; mode=block',
      'X-Content-Type-Options' => 'nosniff';
-    $csp .= "form-action 'self'";
    my $url = $args{params}->{URL};
    if ( $url and $url =~ s#https?://([^/]+).*#$1# ) {
-        $csp .= $url;
+        $csp .= " $url";
    }
    $csp .= ';';
    unless ( $self->conf->{portalAntiFrame} == 0 ) {
@ -651,7 +650,7 @@ sub sendHtml {
              ( $req->info =~ /<iframe.*?src="(.*?)"/sg );
        }
        if (@url) {
-            $csp = join 'frame-ancestors', @url;
+            $csp .= join( ' ', 'frame-ancestors', @url ) . ';';
        }
        else {
            push @{ $req->respHeaders }, 'X-Frame-Options' => 'DENY';