Closed Udera closed 7 years ago
This must be configured in the webserver (in the configuration) or in case of apache it can be done in a .htaccess:
<IfModule mod_env.c>
Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
</IfModule>
Do we put this in the documentation or do we want to ship a .htaccess?
I guess you could use header()
as usual.
I wonder about the actual use for this header though, and even more about its actual looks. Wouldn't Content-Security-Policy default-src 'self'
be basically equivalent to your much longer suggestion?
That's indeed much easier. I created a PR.
Some inline-code needs to be removed before, I won't do this for version 2.3.1, perhaps later version or even waiting for vexim3.
Follow up of https://github.com/vexim/vexim2/pull/207