[FAQ] How to allow Vimeo or Youtube
bnomei opened this issue · comments
Bruno Meilick commented
Question:
How to add directives for other domains?
Answer:
you could create a custom snippet based on default one or just override the csp
in your config file. Example for vimeo:
<?php
use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder;
return [
'bnomei.securityheaders.csp' => function() {
$policy = new ContentSecurityPolicyHeaderBuilder();
// root domain
$sourcesetID = kirby()->site()->title()->value();
$policy->defineSourceSet($sourcesetID, [kirby()->site()->url()]);
$directives = [
ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC,
ContentSecurityPolicyHeaderBuilder::DIRECTIVE_STYLE_SRC,
ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC,
ContentSecurityPolicyHeaderBuilder::DIRECTIVE_IMG_SRC,
ContentSecurityPolicyHeaderBuilder::DIRECTIVE_FONT_SRC,
ContentSecurityPolicyHeaderBuilder::DIRECTIVE_CONNECT_SRC,
];
foreach ($directives as $d) {
$policy->addSourceSet($d, $sourcesetID);
}
// vimeo
$sourcesetID = 'vimeo';
$policy->defineSourceSet($sourcesetID, ['player.vimeo.com']);
$directives = [
ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC,
ContentSecurityPolicyHeaderBuilder::DIRECTIVE_STYLE_SRC,
ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC,
ContentSecurityPolicyHeaderBuilder::DIRECTIVE_IMG_SRC,
];
foreach ($directives as $d) {
$policy->addSourceSet($d, $sourcesetID);
}
return $policy;
},
];
Bruno Meilick commented
closing since example will no longer be valid in next major version