page: declare minimal security policy header

[minimedit.git] / page.php

diff --git a/page.php b/page.php
index f4d6057aceac1f7e5570636d30f094476222c188..dee5ee09d9a45edd821a30f7f0b5de63359bf408 100644 (file)
--- a/page.php
+++ b/page.php
@@ -159,6 +159,12 @@ if ($PageAccess = $Article->restricted) {
 
 # prepare page contents
 
+header(sprintf('Content-Security-Policy: %s', implode('; ', [
+       "default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain
+       "img-src 'self' data: http://cdn.ckeditor.com", # inline svg (in css)
+       "frame-ancestors 'none'", # prevent malicious embedding
+])));
+
 ob_start(); # page body
 $Place = [
        'user'  => $User ? $User->login : '',
@@ -175,11 +181,13 @@ if (isset($Article->raw)) {
                        ) . $Article->raw;
                }
        }
-       $Article->raw = '<div class="static">'."\n\n".$Article->raw."</div>\n\n";
 }
-elseif (!$Article->raw and $User and $User->admin("edit {$Article->link}")) {
+elseif ($User and $User->admin("edit {$Article->link}")) {
        $Article->raw(file_exists("$Page/template.inc.html") ? "$Page/template.inc.html" : 'template.inc.html');
 }
+if (isset($Article->raw)) {
+       $Article->raw = '<div class="static">'."\n\n".$Article->raw."</div>\n\n";
+}
 
 # output dynamic and/or static html