Merge pull request #3041 from mnoorenberghe/unsafe_inline_backcompat

Drop support for CSP 1 browsers (with no nonce-* support)
This commit is contained in:
Isaac Connor 2020-09-10 18:09:44 -04:00 committed by GitHub
commit 3b7bde755e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 4 deletions

View File

@ -79,14 +79,12 @@ function CSPHeaders($view, $nonce) {
case 'storage':
case 'version': {
// Enforce script-src on pages where inline scripts and event handlers have been fixed.
// 'unsafe-inline' is only for backwards compatibility with browsers which
// only support CSP 1 (with no nonce-* support).
header("Content-Security-Policy: script-src 'unsafe-inline' 'self' 'nonce-$nonce' $additionalScriptSrc");
header("Content-Security-Policy: script-src 'self' 'nonce-$nonce' $additionalScriptSrc");
break;
}
default: {
// Use Report-Only mode on all other pages.
header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self' 'nonce-$nonce' $additionalScriptSrc;".
header("Content-Security-Policy-Report-Only: script-src 'self' 'nonce-$nonce' $additionalScriptSrc;".
(ZM_CSP_REPORT_URI ? ' report-uri '.ZM_CSP_REPORT_URI : '' )
);
break;