X-Git-Url: http://git.shiar.net/minimedit.git/blobdiff_plain/ed38c6a76767a893a319f7bfd9229b0dad6b08db..a034b7a3f5b363f74a47c9f20bfa0cf4f2988b34:/page.php

diff --git a/page.php b/page.php
index f4d6057..93b705f 100644
--- a/page.php
+++ b/page.php
@@ -159,6 +159,13 @@ if ($PageAccess = $Article->restricted) {
 
 # prepare page contents
 
+header(sprintf('Content-Security-Policy: %s', implode('; ', [
+	"default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain
+	"img-src 'self' data: http://cdn.ckeditor.com", # inline svg (in css)
+	"base-uri 'self'", # only local pages
+	"frame-ancestors 'none'", # prevent malicious embedding
+])));
+
 ob_start(); # page body
 $Place = [
 	'user'  => $User ? $User->login : '',
@@ -175,11 +182,13 @@ if (isset($Article->raw)) {
 			) . $Article->raw;
 		}
 	}
-	$Article->raw = '<div class="static">'."\n\n".$Article->raw."</div>\n\n";
 }
-elseif (!$Article->raw and $User and $User->admin("edit {$Article->link}")) {
+elseif ($User and $User->admin("edit {$Article->link}")) {
 	$Article->raw(file_exists("$Page/template.inc.html") ? "$Page/template.inc.html" : 'template.inc.html');
 }
+if (isset($Article->raw)) {
+	$Article->raw = '<div class="static">'."\n\n".$Article->raw."</div>\n\n";
+}
 
 # output dynamic and/or static html