From ba9a871daf97de69555bf54e5e2289954dff1b32 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 18 Aug 2021 10:52:45 -0400 Subject: [PATCH] Move CSP stuff down to view parsing. ajax requests only output json, so CSP shouldn't be relevant. Only end output buffer if there is one. archive view for example clears all output buffers. --- web/index.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/web/index.php b/web/index.php index d003fadb6..b3df502f6 100644 --- a/web/index.php +++ b/web/index.php @@ -192,8 +192,6 @@ $user = null; if ( isset($_REQUEST['view']) ) $view = detaintPath($_REQUEST['view']); -# Add CSP Headers -$cspNonce = bin2hex(zm_random_bytes(16)); $request = null; if ( isset($_REQUEST['request']) ) @@ -294,8 +292,11 @@ if ( $request ) { return; } +# Add CSP Headers +$cspNonce = bin2hex(zm_random_bytes(16)); if ( $includeFiles = getSkinIncludes('views/'.$view.'.php', true, true) ) { ob_start(); + CSPHeaders($view, $cspNonce); foreach ( $includeFiles as $includeFile ) { if ( !file_exists($includeFile) ) ZM\Fatal("View '$view' does not exist"); @@ -309,9 +310,7 @@ if ( $includeFiles = getSkinIncludes('views/'.$view.'.php', true, true) ) { foreach ( getSkinIncludes('views/login.php', true, true) as $includeFile ) require_once $includeFile; } - - CSPHeaders($view, $cspNonce); - ob_end_flush(); + while (ob_get_level() > 0) ob_end_flush(); } // If the view is missing or the view still returned error with the user logged in, // then it is not recoverable.