}
/**
- * Get the CSP headers for the application
+ * Get the CSP headers for the application.
*/
public function getCspHeader(): string
{
{
$iframeHosts = $this->getAllowedIframeHosts();
array_unshift($iframeHosts, "'self'");
+
return 'frame-ancestors ' . implode(' ', $iframeHosts);
}
{
$iframeHosts = $this->getAllowedIframeSources();
array_unshift($iframeHosts, "'self'");
+
return 'frame-src ' . implode(' ', $iframeHosts);
}
protected function getAllowedIframeHosts(): array
{
- $hosts = config('app.iframe_hosts', '');
+ $hosts = config('app.iframe_hosts') ?? '';
return array_filter(explode(' ', $hosts));
}
protected function getAllowedIframeSources(): array
{
- $sources = config('app.iframe_sources', '');
- $hosts = array_filter(explode(' ', $sources));
+ $sources = explode(' ', config('app.iframe_sources', ''));
+ $sources[] = $this->getDrawioHost();
- // Extract drawing service url to allow embedding if active
+ return array_filter($sources);
+ }
+
+ /**
+ * Extract the host name of the configured drawio URL for use in CSP.
+ * Returns empty string if not in use.
+ */
+ protected function getDrawioHost(): string
+ {
$drawioConfigValue = config('services.drawio');
- if ($drawioConfigValue) {
- $drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';
- $drawioSourceParsed = parse_url($drawioSource);
- $drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];
- $hosts[] = $drawioHost;
+ if (!$drawioConfigValue) {
+ return '';
+ }
+
+ $drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';
+ $drawioSourceParsed = parse_url($drawioSource);
+ $drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];
+ if (isset($drawioSourceParsed['port'])) {
+ $drawioHost .= ':' . $drawioSourceParsed['port'];
}
- return $hosts;
+ return $drawioHost;
}
}
projects / bookstack / blobdiff