Move CSP stuff down to view parsing. ajax requests only output json, so CSP shouldn't be relevant. Only end output buffer if there is one. archive view for example clears all output buffers.
This commit is contained in:
parent
eb1124c406
commit
ba9a871daf
|
@ -192,8 +192,6 @@ $user = null;
|
||||||
if ( isset($_REQUEST['view']) )
|
if ( isset($_REQUEST['view']) )
|
||||||
$view = detaintPath($_REQUEST['view']);
|
$view = detaintPath($_REQUEST['view']);
|
||||||
|
|
||||||
# Add CSP Headers
|
|
||||||
$cspNonce = bin2hex(zm_random_bytes(16));
|
|
||||||
|
|
||||||
$request = null;
|
$request = null;
|
||||||
if ( isset($_REQUEST['request']) )
|
if ( isset($_REQUEST['request']) )
|
||||||
|
@ -294,8 +292,11 @@ if ( $request ) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Add CSP Headers
|
||||||
|
$cspNonce = bin2hex(zm_random_bytes(16));
|
||||||
if ( $includeFiles = getSkinIncludes('views/'.$view.'.php', true, true) ) {
|
if ( $includeFiles = getSkinIncludes('views/'.$view.'.php', true, true) ) {
|
||||||
ob_start();
|
ob_start();
|
||||||
|
CSPHeaders($view, $cspNonce);
|
||||||
foreach ( $includeFiles as $includeFile ) {
|
foreach ( $includeFiles as $includeFile ) {
|
||||||
if ( !file_exists($includeFile) )
|
if ( !file_exists($includeFile) )
|
||||||
ZM\Fatal("View '$view' does not exist");
|
ZM\Fatal("View '$view' does not exist");
|
||||||
|
@ -309,9 +310,7 @@ if ( $includeFiles = getSkinIncludes('views/'.$view.'.php', true, true) ) {
|
||||||
foreach ( getSkinIncludes('views/login.php', true, true) as $includeFile )
|
foreach ( getSkinIncludes('views/login.php', true, true) as $includeFile )
|
||||||
require_once $includeFile;
|
require_once $includeFile;
|
||||||
}
|
}
|
||||||
|
while (ob_get_level() > 0) ob_end_flush();
|
||||||
CSPHeaders($view, $cspNonce);
|
|
||||||
ob_end_flush();
|
|
||||||
}
|
}
|
||||||
// If the view is missing or the view still returned error with the user logged in,
|
// If the view is missing or the view still returned error with the user logged in,
|
||||||
// then it is not recoverable.
|
// then it is not recoverable.
|
||||||
|
|
Loading…
Reference in New Issue