make yet another recommended security header optional - this time because of piwik. Personally I think if you want to track people you really don't understand this project and its history, but whatever....

2016-02-08 14:48:11 -08:00
parent 90fd23e0cd
commit a14b87baf2
12 changed files with 107 additions and 1 deletions
--- a/boot.php
+++ b/boot.php
@@ -2167,7 +2167,8 @@ function construct_page(&$a) {
 	if($a->get_scheme() === 'https' && $a->config['system']['transport_security_header'])
 		header("Strict-Transport-Security: max-age=31536000");

-	header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'");
+	if($a->config['system']['content_security_policy'])
+		header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'");

 	if($a->config['system']['x_security_headers']) {
 		header("X-Frame-Options: SAMEORIGIN");