From 400b3320aa60ecd2255278fe66555febaeeb8cad Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 29 May 2017 15:20:50 +0200
Subject: [PATCH] NEW Introduction option MAIN_HTTP_CONTENT_SECURITY_POLICY

---
 htdocs/main.inc.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 730c2caba4a..26f455131cd 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -1008,7 +1008,15 @@ function top_httphead($contenttype='text/html')
     // Security options
     header("X-Content-Type-Options: nosniff");  // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
     header("X-Frame-Options: SAMEORIGIN");      // Frames allowed only if on same domain (stop some XSS attacks)
-    // TODO Content-Security-Policy
+    if (! empty($conf->global->MAIN_HTTP_CONTENT_SECURITY_POLICY))
+    {
+        // For example, to restrict script, object, frames or img to some domains
+        // script-src https://api.google.com https://anotherhost.com; object-src https://youtube.com; child-src https://youtube.com; img-src: https://static.example.com  
+        // For example, to restrict everything to one domain, except object, ...
+        // default-src https://cdn.example.net; object-src 'none'
+        header("Content-Security-Policy: ".$conf->global->MAIN_HTTP_CONTENT_SECURITY_POLICY);
+    }
+      
     
     // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1.
     /*if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) {