diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php
index 23f7a6d0aca..42945587fee 100644
--- a/htdocs/admin/security.php
+++ b/htdocs/admin/security.php
@@ -20,7 +20,7 @@
/**
* \file htdocs/admin/security.php
* \ingroup setup
- * \brief Page de configuration du module securite
+ * \brief Page of setup of security
*/
// Load Dolibarr environment
diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php
index 7ad70c385b5..f6c53f9ae2d 100644
--- a/htdocs/admin/system/security.php
+++ b/htdocs/admin/system/security.php
@@ -740,6 +740,11 @@ print '
';
print 'MAIN_SECURITY_FORCERP = '.getDolGlobalString('MAIN_SECURITY_FORCERP', ''.$langs->trans("Undefined").'').' ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or")." \"same-origin\" so browser doesn't send any referrer when going into another web site domain)
";
print '
';
+print 'MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN = '.getDolGlobalString('MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN', ''.$langs->trans("Undefined").'').' ('.$langs->trans("Recommended").": 1)
";
+print '
';
+
+// For websites
+
print 'WEBSITE_MAIN_SECURITY_FORCECSPRO = '.getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSPRO', ''.$langs->trans("Undefined").'');
print ' ('.$langs->trans("Example").": \"frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; style-src https://cdnjs.cloudflare.com *.googleapis.com; script-src *.transifex.com *.google-analytics.com *.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src * data:;\")
";
print '
';
@@ -757,6 +762,7 @@ print '
';
print 'WEBSITE_MAIN_SECURITY_FORCEPP = '.getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCEPP', ''.$langs->trans("Undefined").'').' ('.$langs->trans("Example").": \"camera: (); microphone: ();\")
";
print '
';
+
print '';
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 614b222baf6..6bf70b996fe 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -1543,11 +1543,18 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
// X-Frame-Options
if (!defined('XFRAMEOPTIONS_ALLOWALL')) {
- header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
+ header("X-Frame-Options: SAMEORIGIN"); // By default, frames allowed only if on same domain (stop some XSS attacks)
} else {
header("X-Frame-Options: ALLOWALL");
}
+ if (getDolGlobalString('MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN')) {
+ $tmpurl = constant('DOL_MAIN_URL_ROOT');
+ $tmpurl = preg_replace('/^(https?:\/\/[^\/]+)\/.*$/', '\1', $tmpurl);
+ header('Access-Control-Allow-Origin: '.$tmpurl);
+ header('Vary: Origin');
+ }
+
// X-XSS-Protection
//header("X-XSS-Protection: 1"); // XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 9a07285c7f1..e5ff0cc237f 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -82,7 +82,7 @@ $conf->file->main_authentication = empty($dolibarr_main_authentication) ? 'dolib
$conf->file->main_force_https = empty($dolibarr_main_force_https) ? '' : $dolibarr_main_force_https; // Force https
$conf->file->strict_mode = empty($dolibarr_strict_mode) ? '' : $dolibarr_strict_mode; // Force php strict mode (for debug)
$conf->file->instance_unique_id = empty($dolibarr_main_instance_unique_id) ? (empty($dolibarr_main_cookie_cryptkey) ? '' : $dolibarr_main_cookie_cryptkey) : $dolibarr_main_instance_unique_id; // Unique id of instance
-$conf->file->dol_main_url_root = $dolibarr_main_url_root;
+$conf->file->dol_main_url_root = $dolibarr_main_url_root; // Define url inside the config file
$conf->file->dol_document_root = array('main' => (string) DOL_DOCUMENT_ROOT); // Define array of document root directories ('/home/htdocs')
$conf->file->dol_url_root = array('main' => (string) DOL_URL_ROOT); // Define array of url root path ('' or '/dolibarr')
if (!empty($dolibarr_main_document_root_alt)) {