From ca4ec91ef366506a3336b88b1240398c9bfb27d5 Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Wed, 18 Aug 2021 10:52:45 -0400
Subject: [PATCH] Move CSP stuff down to view parsing.  ajax requests only
 output json, so CSP shouldn't be relevant.  Only end output buffer if there
 is one.  archive view for example clears all output buffers.

---
 web/index.php | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/web/index.php b/web/index.php
index d003fadb6..b3df502f6 100644
--- a/web/index.php
+++ b/web/index.php
@@ -192,8 +192,6 @@ $user = null;
 if ( isset($_REQUEST['view']) )
   $view = detaintPath($_REQUEST['view']);
 
-# Add CSP Headers
-$cspNonce = bin2hex(zm_random_bytes(16));
 
 $request = null;
 if ( isset($_REQUEST['request']) )
@@ -294,8 +292,11 @@ if ( $request ) {
   return;
 }
 
+# Add CSP Headers
+$cspNonce = bin2hex(zm_random_bytes(16));
 if ( $includeFiles = getSkinIncludes('views/'.$view.'.php', true, true) ) {
   ob_start();
+  CSPHeaders($view, $cspNonce);
   foreach ( $includeFiles as $includeFile ) {
     if ( !file_exists($includeFile) )
       ZM\Fatal("View '$view' does not exist");
@@ -309,9 +310,7 @@ if ( $includeFiles = getSkinIncludes('views/'.$view.'.php', true, true) ) {
     foreach ( getSkinIncludes('views/login.php', true, true) as $includeFile )
       require_once $includeFile;
   }
-
-  CSPHeaders($view, $cspNonce);
-  ob_end_flush();
+  while (ob_get_level() > 0) ob_end_flush();
 }
 // If the view is missing or the view still returned error with the user logged in,
 // then it is not recoverable.