From 2dd22811a0e4663fd81e82b0542e79f1f8e5c6da Mon Sep 17 00:00:00 2001
From: Xavier Guimard <xavier.guimard@laposte.net>
Date: Thu, 19 Jan 2017 22:04:33 +0000
Subject: [PATCH] Finish portal CSP (#1138)

---
 lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
index 86a0d7d58..965b80d88 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@@ -634,14 +634,13 @@ sub _dump {
 
 sub sendHtml {
     my ( $self, $req, $template, %args ) = @_;
-    my $csp = $self->csp;
+    my $csp = $self->csp . "form-action 'self'";
     push @{ $req->respHeaders },
       'X-XSS-Protection'       => '1; mode=block',
       'X-Content-Type-Options' => 'nosniff';
-    $csp .= "form-action 'self'";
     my $url = $args{params}->{URL};
     if ( $url and $url =~ s#https?://([^/]+).*#$1# ) {
-        $csp .= $url;
+        $csp .= " $url";
     }
     $csp .= ';';
     unless ( $self->conf->{portalAntiFrame} == 0 ) {
@@ -651,7 +650,7 @@ sub sendHtml {
               ( $req->info =~ /<iframe.*?src="(.*?)"/sg );
         }
         if (@url) {
-            $csp = join 'frame-ancestors', @url;
+            $csp .= join( ' ', 'frame-ancestors', @url ) . ';';
         }
         else {
             push @{ $req->respHeaders }, 'X-Frame-Options' => 'DENY';