Introduce CSP_REPORT_URI to config and use it when setting up CSP headers as to where to report unsafe inline js to.

This commit is contained in:
Isaac Connor 2019-11-08 15:18:08 -05:00
parent 02621f9e49
commit 1c54f22627
2 changed files with 12 additions and 1 deletions

View File

@ -2764,6 +2764,15 @@ our @options = (
type => $types{boolean},
category => 'system',
},
{
name => 'ZM_CSP_REPORT_URI',
default => '',
description => 'URI to report unsafe inline javascript violations to',
help => q`
See https://en.wikipedia.org/wiki/Content_Security_Policy for more information. When the browser detects unsafe inline javascript it will report it to this url, which may warn you of malicious attacks on your ZoneMinder install.`,
type => $types{url},
category => 'system',
},
{
name => 'ZM_TELEMETRY_DATA',
default => 'no',

View File

@ -79,7 +79,9 @@ function CSPHeaders($view, $nonce) {
}
default: {
// Use Report-Only mode on all other pages.
header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self' 'nonce-$nonce' $additionalScriptSrc; report-uri https://zmrepo.zoneminder.com");
header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self' 'nonce-$nonce' $additionalScriptSrc;".
(ZM_CSP_REPORT_URI ? ' report-uri '.ZM_CSP_REPORT_URI : '' )
);
break;
}
}