ZaneYork
/
zoneminder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix recaptcha support with the CSP (#2420)

This commit is contained in:
Matt N 2019-01-19 06:47:04 -08:00 committed by Isaac Connor
parent c0a6e54d60
commit 35fb4366b6
1 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
web/includes/functions.php
View File

@ -36,13 +36,22 @@ function noCacheHeaders() {
} }
function CSPHeaders($view, $nonce) { function CSPHeaders($view, $nonce) {
$additionalScriptSrc = "";
switch ($view) { switch ($view) {
case 'login': {
if (defined('ZM_OPT_USE_GOOG_RECAPTCHA')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SITEKEY')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SECRETKEY')
&& ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SITEKEY && ZM_OPT_GOOG_RECAPTCHA_SECRETKEY) {
$additionalScriptSrc = "https://www.google.com";
}
// fall through
}
case 'bandwidth': case 'bandwidth':
case 'blank': case 'blank':
case 'controlcap': case 'controlcap':
case 'function': case 'function':
case 'log': case 'log':
case 'login':
case 'logout': case 'logout':
case 'options': case 'options':
case 'privacy': case 'privacy':
@ -51,12 +60,12 @@ function CSPHeaders($view, $nonce) {
// Enforce script-src on pages where inline scripts and event handlers have been fixed. // Enforce script-src on pages where inline scripts and event handlers have been fixed.
// 'unsafe-inline' is only for backwards compatibility with browsers which // 'unsafe-inline' is only for backwards compatibility with browsers which
// only support CSP 1 (with no nonce-* support). // only support CSP 1 (with no nonce-* support).
header("Content-Security-Policy: script-src 'unsafe-inline' 'self' 'nonce-$nonce'"); header("Content-Security-Policy: script-src 'unsafe-inline' 'self' 'nonce-$nonce' $additionalScriptSrc");
break; break;
} }
default: { default: {
// Use Report-Only mode on all other pages. // Use Report-Only mode on all other pages.
header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self' 'nonce-$nonce'"); header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self' 'nonce-$nonce' $additionalScriptSrc");
break; break;
} }
} }