NEW Introduction option MAIN_HTTP_CONTENT_SECURITY_POLICY

htdocs/main.inc.php

@@ -1008,7 +1008,15 @@ function top_httphead($contenttype='text/html')
     // Security options
     header("X-Content-Type-Options: nosniff");  // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
     header("X-Frame-Options: SAMEORIGIN");      // Frames allowed only if on same domain (stop some XSS attacks)
-    // TODO Content-Security-Policy
+    if (! empty($conf->global->MAIN_HTTP_CONTENT_SECURITY_POLICY))
+    {
+        // For example, to restrict script, object, frames or img to some domains
+        // script-src https://api.google.com https://anotherhost.com; object-src https://youtube.com; child-src https://youtube.com; img-src: https://static.example.com  
+        // For example, to restrict everything to one domain, except object, ...
+        // default-src https://cdn.example.net; object-src 'none'
+        header("Content-Security-Policy: ".$conf->global->MAIN_HTTP_CONTENT_SECURITY_POLICY);
+    }
+      
     
     // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1.
     /*if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) {