-
- /**
- * Sets CSP 'script-src' headers to restrict the forms of script that can
- * run on the page.
- */
- public function setScriptSrc(Response $response, string $nonce)
- {
- $parts = [
- '\'self\'',
- '\'nonce-' . $nonce . '\'',
- '\'strict-dynamic\'',
- ];
- $response->headers->set('Content-Security-Policy', 'script-src ' . implode(' ', $parts));
- }
-
- /**
- * Sets CSP "frame-ancestors" headers to restrict the hosts that BookStack can be
- * iframed within. Also adjusts the cookie samesite options so that cookies will
- * operate in the third-party context.
- */
- protected function setFrameAncestors(Response $response)
- {
- $iframeHosts = collect(explode(' ', config('app.iframe_hosts', '')))->filter();
-
- if ($iframeHosts->count() > 0) {
- config()->set('session.same_site', 'none');
- }
-
- $iframeHosts->prepend("'self'");
- $cspValue = 'frame-ancestors ' . $iframeHosts->join(' ');
- $response->headers->set('Content-Security-Policy', $cspValue);
- }