diff --git a/web/includes/functions.php b/web/includes/functions.php index 862590b10..c33de8439 100644 --- a/web/includes/functions.php +++ b/web/includes/functions.php @@ -36,13 +36,22 @@ function noCacheHeaders() { } function CSPHeaders($view, $nonce) { + $additionalScriptSrc = ""; switch ($view) { + case 'login': { + if (defined('ZM_OPT_USE_GOOG_RECAPTCHA') + && defined('ZM_OPT_GOOG_RECAPTCHA_SITEKEY') + && defined('ZM_OPT_GOOG_RECAPTCHA_SECRETKEY') + && ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SITEKEY && ZM_OPT_GOOG_RECAPTCHA_SECRETKEY) { + $additionalScriptSrc = "https://www.google.com"; + } + // fall through + } case 'bandwidth': case 'blank': case 'controlcap': case 'function': case 'log': - case 'login': case 'logout': case 'options': case 'privacy': @@ -51,12 +60,12 @@ function CSPHeaders($view, $nonce) { // Enforce script-src on pages where inline scripts and event handlers have been fixed. // 'unsafe-inline' is only for backwards compatibility with browsers which // only support CSP 1 (with no nonce-* support). - header("Content-Security-Policy: script-src 'unsafe-inline' 'self' 'nonce-$nonce'"); + header("Content-Security-Policy: script-src 'unsafe-inline' 'self' 'nonce-$nonce' $additionalScriptSrc"); break; } default: { // Use Report-Only mode on all other pages. - header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self' 'nonce-$nonce'"); + header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self' 'nonce-$nonce' $additionalScriptSrc"); break; } }