diff --git a/themes/api.jquery.com/functions.php b/themes/api.jquery.com/functions.php new file mode 100644 index 00000000..e8158237 --- /dev/null +++ b/themes/api.jquery.com/functions.php @@ -0,0 +1,8 @@ + "'self'", + 'script-src' => "'self' 'nonce-$nonce' code.jquery.com", + // The nonce is here so inline scripts can be used in the theme + 'style-src' => "'self' 'nonce-$nonce'", + // data: SVG images are used in typesense + 'img-src' => "'self' data:", + 'connect-src' => "'self' typesense.jquery.com", + 'font-src' => "'self'", + 'object-src' => "'none'", + 'media-src' => "'self'", + 'frame-src' => "'self'", + 'child-src' => "'self'", + 'form-action' => "'self'", + 'frame-ancestors' => "'none'", + 'base-uri' => "'self'", + 'block-all-mixed-content' => '', + 'report-to' => 'csp-endpoint', + // Add report-uri for Firefox, which + // does not yet support report-to + 'report-uri' => $report_url, + ); + + $policy = apply_filters( 'jq_content_security_policy', $policy ); + + $policy_string = ''; + foreach ( $policy as $key => $value ) { + $policy_string .= $key . ' ' . $value . '; '; + } + + header( 'Reporting-Endpoints: csp-endpoint="' . $report_url . '"' ); + header( 'Content-Security-Policy-Report-Only: ' . $policy_string ); +} + +add_action( 'send_headers', 'jq_content_security_policy' ); diff --git a/themes/jquery/header.php b/themes/jquery/header.php index 322acb48..6dd13cba 100755 --- a/themes/jquery/header.php +++ b/themes/jquery/header.php @@ -5,7 +5,6 @@