Add HTTP headers security - Add support for Content-Security-Policy-Report-Only - refs #2013

main/inc/lib/template.lib.php

@@ -1512,6 +1512,10 @@ class Template
         if (!empty($setting)) {
             header('Content-Security-Policy: '.$setting);
         }
+        $setting = api_get_configuration_value('security_content_policy_report_only');
+        if (!empty($setting)) {
+            header('Content-Security-Policy-Report-Only: '.$setting);
+        }
         // Public-Key-Pins
         $setting = api_get_configuration_value('security_public_key_pins');
         if (!empty($setting)) {

main/install/configuration.dist.php

@@ -416,6 +416,7 @@ $_configuration['agenda_legend'] = [
 // The provided default is an *example*, please customize.
 // This setting is particularly complicated to set with CKeditor
 //$_configuration['security_content_policy'] = 'default-src \'self\'; script-src *://*.google.com:*';
+//$_configuration['security_content_policy_report_only'] = 'default-src \'self\'; script-src *://*.google.com:*';
 //
 // HTTP Public Key Pinning protects your site from MiTM attacks using rogue
 // X.509 certificates. By whitelisting only the identities that the browser