Set X-Frame-Options: DENY when frame_ancestors is empty

This commit is contained in:
the-djmaze 2023-02-21 19:15:21 +01:00
parent 66fafd3981
commit 145c11d58e
2 changed files with 7 additions and 3 deletions

View file

@ -26,7 +26,6 @@
# Header set Strict-Transport-Security "max-age=31536000"
Header set imagetoolbar "no"
# Header set X-Content-Type-Options "nosniff"
# Header set X-Frame-Options "DENY"
# Header set X-XSS-Protection "1; mode=block"
Header set Service-Worker-Allowed "/"

View file

@ -29,8 +29,8 @@ class CSP
{
if ($default) {
foreach (\explode(';', $default) as $directive) {
$values = \explode(' ', $directive);
$name = \str_replace('-', '_', \preg_replace('/-(src)$/D', '', \trim(\array_shift($values))));
$values = \preg_split('/\\s+/', $directive);
$name = \str_replace('-', '_', \preg_replace('/-(src|uri)$/D', '', \trim(\array_shift($values))));
$this->$name = \array_unique(\array_merge($this->$name, $values));
}
}
@ -73,6 +73,11 @@ class CSP
} else {
\header('Content-Security-Policy: ' . $this);
}
if (!$this->frame_ancestors) {
\header('X-Frame-Options: DENY');
} else {
// \header('X-Frame-Options: SAMEORIGIN');
}
}
public static function logReport() : void