From 18566465bc8c27b4cbec01598957a6936d680429 Mon Sep 17 00:00:00 2001
From: Kian Cross <kian@kiancross.co.uk>
Date: Thu, 2 Jan 2025 17:34:59 +0000
Subject: [PATCH] Add additional CSP header configuration options (#2871)

* Add additional CSP header configuration options

Added configuration options to extend the allowed lists for the
`child-src`, `font-src`, `form-action`, `frame-src`, `img-src`,
and `media-src` directives in the Content Security Policy (CSP)
headers. These changes enable compatibility with third-party tools,
such as Google Analytics.

* formatting
---
 .env.example              |  6 ++++++
 config/secure-headers.php | 10 ++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/.env.example b/.env.example
index 81fa9bc5e80..009a225a232 100644
--- a/.env.example
+++ b/.env.example
@@ -99,6 +99,12 @@ QUEUE_CONNECTION=sync
 SECURITY_HEADER_HSTS_ENABLE=false
 SECURITY_HEADER_CSP_CONNECT_SRC=
 SECURITY_HEADER_SCRIPT_SRC_ALLOW=
+SECURITY_HEADER_CSP_CHILD_SRC=
+SECURITY_HEADER_CSP_FONT_SRC=
+SECURITY_HEADER_CSP_FORM_ACTION=
+SECURITY_HEADER_CSP_FRAME_SRC=
+SECURITY_HEADER_CSP_IMG_SRC=
+SECURITY_HEADER_CSP_MEDIA_SRC=
 SESSION_SECURE_COOKIE=false
 
 REDIS_HOST=127.0.0.1
diff --git a/config/secure-headers.php b/config/secure-headers.php
index e537c5ca534..522c69e044a 100644
--- a/config/secure-headers.php
+++ b/config/secure-headers.php
@@ -344,6 +344,7 @@
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src
 		'child-src' => [
+			'allow' => explode(',', (string) env('SECURITY_HEADER_CSP_CHILD_SRC', '')),
 		],
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
@@ -359,11 +360,13 @@
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
 		'font-src' => [
+			'allow' => explode(',', (string) env('SECURITY_HEADER_CSP_FONT_SRC', '')),
 		],
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action
 		'form-action' => [
 			'self' => true,
+			'allow' => explode(',', (string) env('SECURITY_HEADER_CSP_FORM_ACTION', '')),
 		],
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
@@ -372,6 +375,7 @@
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
 		'frame-src' => [
+			'allow' => explode(',', (string) env('SECURITY_HEADER_CSP_FRAME_SRC', '')),
 		],
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
@@ -398,7 +402,8 @@
 				[
 					// @phpstan-ignore-next-line
 					str_replace(parse_url(env('AWS_URL'), PHP_URL_PATH), '', env('AWS_URL')),
-				]
+				],
+				explode(',', (string) env('SECURITY_HEADER_CSP_IMG_SRC', ''))
 			),
 		],
 
@@ -418,7 +423,8 @@
 				[
 					// @phpstan-ignore-next-line
 					str_replace(parse_url(env('AWS_URL'), PHP_URL_PATH), '', env('AWS_URL')),
-				]
+				],
+				explode(',', (string) env('SECURITY_HEADER_CSP_MEDIA_SRC', ''))
 			),
 		],