Skip to content

Commit

Permalink
All: add CSP report only header for all blog sites
Browse files Browse the repository at this point in the history
- allow scripts, styles, and images from code.jquery.com

Ref jquery/infrastructure-puppet#54
Closes gh-8
  • Loading branch information
timmywil authored Dec 25, 2024
1 parent 6710984 commit 80715f1
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions jquery/functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -281,3 +281,35 @@ function twentyeleven_body_classes( $classes ) {
return $classes;
}
add_filter( 'body_class', 'twentyeleven_body_classes' );

/**
* Content Security Policy
*/
function twentyeleven_content_security_policy() {
$report_url = 'https://csp-report-api.openjs-foundation.workers.dev/';
$policy = array(
'default-src' => "'self'",
'script-src' => "'self' code.jquery.com",
'style-src' => "'self' code.jquery.com",
'img-src' => "'self' code.jquery.com",
'object-src' => "'none'",
'frame-ancestors' => "'none'",
'block-all-mixed-content' => '',
'report-to' => 'csp-endpoint',
// Add report-uri for Firefox, which
// does not yet support report-to
'report-uri' => $report_url,
);

$policy = apply_filters( 'twentyeleven_content_security_policy', $policy );

$policy_string = '';
foreach ( $policy as $key => $value ) {
$policy_string .= $key . ' ' . $value . '; ';
}

header( 'Reporting-Endpoints: csp-endpoint="' . $report_url . '"' );
header( 'Content-Security-Policy-Report-Only: ' . $policy_string );
}

add_action( 'send_headers', 'twentyeleven_content_security_policy' );

0 comments on commit 80715f1

Please sign in to comment.