Introduce CSP_REPORT_URI to config and use it when setting up CSP headers as to where to report unsafe inline js to.
This commit is contained in:
parent
02621f9e49
commit
1c54f22627
|
@ -2764,6 +2764,15 @@ our @options = (
|
|||
type => $types{boolean},
|
||||
category => 'system',
|
||||
},
|
||||
{
|
||||
name => 'ZM_CSP_REPORT_URI',
|
||||
default => '',
|
||||
description => 'URI to report unsafe inline javascript violations to',
|
||||
help => q`
|
||||
See https://en.wikipedia.org/wiki/Content_Security_Policy for more information. When the browser detects unsafe inline javascript it will report it to this url, which may warn you of malicious attacks on your ZoneMinder install.`,
|
||||
type => $types{url},
|
||||
category => 'system',
|
||||
},
|
||||
{
|
||||
name => 'ZM_TELEMETRY_DATA',
|
||||
default => 'no',
|
||||
|
|
|
@ -79,7 +79,9 @@ function CSPHeaders($view, $nonce) {
|
|||
}
|
||||
default: {
|
||||
// Use Report-Only mode on all other pages.
|
||||
header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self' 'nonce-$nonce' $additionalScriptSrc; report-uri https://zmrepo.zoneminder.com");
|
||||
header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self' 'nonce-$nonce' $additionalScriptSrc;".
|
||||
(ZM_CSP_REPORT_URI ? ' report-uri '.ZM_CSP_REPORT_URI : '' )
|
||||
);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue