Fixed #14664 - allow additional urls in env for CSP

Signed-off-by: snipe <[email protected]>

app/Http/Middleware/SecurityHeaders.php

@@ -88,13 +88,13 @@ public function handle($request, Closure $next)
  $csp_policy[] = "connect-src 'self'";
  $csp_policy[] = "object-src 'none'";
  $csp_policy[] = "font-src 'self' data:";
- $csp_policy[] = "img-src 'self' data: ".config('app.url').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com';
+ $csp_policy[] = "img-src 'self' data: ".config('app.url').' '.config('app.additional_csp_urls').' '.env('PUBLIC_AWS_URL').' https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com';
 
  if (config('filesystems.disks.public.driver') == 's3') {
  $csp_policy[] = "img-src 'self' data: ".config('filesystems.disks.public.url');
  }
  $csp_policy = join(';', $csp_policy);
- 
+
  $response->headers->set('Content-Security-Policy', $csp_policy);
  }
 

config/app.php

@@ -201,6 +201,9 @@
 
  'enable_csp' => env('ENABLE_CSP', true),
 
+ 'additional_csp_urls' => env('ADDITIONAL_CSP_URLS', ''),
+
+
 
  /*
  |--------------------------------------------------------------------------