[FAQ] How to allow Vimeo or Youtube

Question

[FAQ] How to allow Vimeo or Youtube

bnomei opened this issue 6 years ago · comments

Question:
How to add directives for other domains?

Answer:
you could create a custom snippet based on default one or just override the csp in your config file. Example for vimeo:

<?php
use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder;

return [
   'bnomei.securityheaders.csp' => function() {
        $policy = new ContentSecurityPolicyHeaderBuilder();

        // root domain
        $sourcesetID = kirby()->site()->title()->value();
        $policy->defineSourceSet($sourcesetID, [kirby()->site()->url()]);

        $directives = [
            ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC,
            ContentSecurityPolicyHeaderBuilder::DIRECTIVE_STYLE_SRC,
            ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC,
            ContentSecurityPolicyHeaderBuilder::DIRECTIVE_IMG_SRC,
            ContentSecurityPolicyHeaderBuilder::DIRECTIVE_FONT_SRC,
            ContentSecurityPolicyHeaderBuilder::DIRECTIVE_CONNECT_SRC,
        ];
        foreach ($directives as $d) {
            $policy->addSourceSet($d, $sourcesetID);
        }

        // vimeo
        $sourcesetID = 'vimeo';
        $policy->defineSourceSet($sourcesetID, ['player.vimeo.com']);

        $directives = [
            ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC,
            ContentSecurityPolicyHeaderBuilder::DIRECTIVE_STYLE_SRC,
            ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC,
            ContentSecurityPolicyHeaderBuilder::DIRECTIVE_IMG_SRC,
        ];
        foreach ($directives as $d) {
            $policy->addSourceSet($d, $sourcesetID);
        }

        return $policy;
    },
  ];

Bruno Meilick · Answer 1 · Sun Sep 01 2019 21:45:27 GMT+0800 (China Standard Time)

closing since example will no longer be valid in next major version