Use Content-Security-Policy: for all views instead of Report-Only

2022-05-04 12:08:17 -04:00 · 2022-05-04 12:08:17 -04:00 · 04e4f3b8da
parent c58e63e927
commit 04e4f3b8da
1 changed files with 3 additions and 33 deletions
--- a/web/includes/functions.php
+++ b/web/includes/functions.php
@ -45,7 +45,7 @@ function CSPHeaders($view, $nonce) {

  $additionalScriptSrc = implode(' ', array_map(function($S){return $S->Hostname();}, $Servers));
  switch ($view) {
-    case 'login': {
+    case 'login':
      if (defined('ZM_OPT_USE_GOOG_RECAPTCHA')
          && defined('ZM_OPT_GOOG_RECAPTCHA_SITEKEY')
          && defined('ZM_OPT_GOOG_RECAPTCHA_SECRETKEY')
@ -53,42 +53,12 @@ function CSPHeaders($view, $nonce) {
        $additionalScriptSrc .= ' https://www.google.com';
      }
      // fall through
-    }
-    case 'bandwidth':
-    case 'blank':
-    case 'console':
-    case 'controlcap':
-    case 'cycle':
-    case 'donate':
-    case 'download':
-    case 'error':
-    case 'events':
-    case 'export':
-    case 'frame':
-    case 'function':
-    case 'log':
-    case 'logout':
-    case 'optionhelp':
-    case 'options':
-    case 'plugin':
-    case 'postlogin':
-    case 'privacy':
-    case 'server':
-    case 'state':
-    case 'status':
-    case 'storage':
-    case 'version': {
+    default:
      // Enforce script-src on pages where inline scripts and event handlers have been fixed.
-      header("Content-Security-Policy: script-src 'self' 'nonce-$nonce' $additionalScriptSrc");
-      break;
-    }
-    default: {
-      // Use Report-Only mode on all other pages.
-      header("Content-Security-Policy-Report-Only: script-src 'self' 'nonce-$nonce' $additionalScriptSrc;".
+      header("Content-Security-Policy: script-src 'self' 'nonce-$nonce' $additionalScriptSrc".
        (ZM_CSP_REPORT_URI ? ' report-uri '.ZM_CSP_REPORT_URI : '' )
      );
      break;
-    }
  }
 }