From 467225e6e43f02dcd4635e258e616e90cbe4c62a Mon Sep 17 00:00:00 2001 From: Roman Kelesidis Date: Wed, 19 Mar 2025 14:25:51 +0300 Subject: [PATCH] Revert "feat: Added secure headers configuring (#1856)" This reverts commit 9766c534bddad8e82e6d19f9bad5cf70b9887f9a. --- common.php | 5 +- composer.json | 1 - composer.lock | 85 +-- library/config.secure-headers.php | 845 ------------------------------ 4 files changed, 4 insertions(+), 932 deletions(-) delete mode 100644 library/config.secure-headers.php diff --git a/common.php b/common.php index 11e1ee775..a455a7de2 100644 --- a/common.php +++ b/common.php @@ -38,6 +38,7 @@ if (!defined('BB_SCRIPT')) { define('BB_SCRIPT', null); } +header('X-Frame-Options: SAMEORIGIN'); date_default_timezone_set('UTC'); // Set remote address @@ -105,10 +106,6 @@ define('FORUM_PATH', $bb_cfg['script_path']); define('FULL_URL', $server_protocol . $bb_cfg['server_name'] . $server_port . $bb_cfg['script_path']); unset($server_protocol, $server_port); -// Secure headers -$secureHeaders = \Bepsvpt\SecureHeaders\SecureHeaders::fromFile(BB_PATH . '/library/config.secure-headers.php'); -$secureHeaders->send(); - /** * Database */ diff --git a/composer.json b/composer.json index 2577aa073..82f829c9b 100644 --- a/composer.json +++ b/composer.json @@ -56,7 +56,6 @@ "belomaxorka/captcha": "1.*", "egulias/email-validator": "^4.0.1", "filp/whoops": "^2.15", - "bepsvpt/secure-headers": "9.*", "z4kn4fein/php-semver": "^v3.0.0", "nemorize/indexnow": "^0.0.1", "gigablah/sphinxphp": "2.0.8", diff --git a/composer.lock b/composer.lock index 750030512..3012c3903 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "098530029429a81a4a25a5d7276584c4", + "content-hash": "c1e345a7abe58feb13d951acfd499e95", "packages": [ { "name": "arokettu/bencode", @@ -470,85 +470,6 @@ }, "time": "2025-03-10T13:15:53+00:00" }, - { - "name": "bepsvpt/secure-headers", - "version": "9.0.0", - "source": { - "type": "git", - "url": "https://github.com/bepsvpt/secure-headers.git", - "reference": "7efbc3d8b988051b5ff81c4cacd1d12e875528ed" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/bepsvpt/secure-headers/zipball/7efbc3d8b988051b5ff81c4cacd1d12e875528ed", - "reference": "7efbc3d8b988051b5ff81c4cacd1d12e875528ed", - "shasum": "" - }, - "require": { - "ext-json": "*", - "php": "^7.1 || ^8.0" - }, - "require-dev": { - "ergebnis/composer-normalize": "^2.42", - "ext-xdebug": "*", - "laravel/pint": "^1.14", - "orchestra/testbench": "^3.1 || ^4.18 || ^5.20 || ^6.43 || ^7.41 || ^8.22 || ^9.0", - "phpstan/phpstan": "^1.10", - "phpunit/phpunit": "^5.7 || ^6.5 || ^7.5 || ^8.5 || ^9.6 || ^10.5" - }, - "type": "library", - "extra": { - "laravel": { - "providers": [ - "Bepsvpt\\SecureHeaders\\SecureHeadersServiceProvider" - ] - } - }, - "autoload": { - "files": [ - "src/helpers.php" - ], - "psr-4": { - "Bepsvpt\\SecureHeaders\\": "src/" - } - }, - "notification-url": "https://packagist.org/downloads/", - "license": [ - "MIT" - ], - "authors": [ - { - "name": "bepsvpt", - "email": "6ibrl@cpp.tw" - } - ], - "description": "Add security related headers to HTTP response. The package includes Service Providers for easy Laravel integration.", - "homepage": "https://github.com/bepsvpt/secure-headers", - "keywords": [ - "clear-site-data", - "content-security-policy", - "csp", - "except-ct", - "feature-policy", - "header", - "hsts", - "https", - "laravel", - "permissions-policy", - "referrer-policy" - ], - "support": { - "issues": "https://github.com/bepsvpt/secure-headers/issues", - "source": "https://github.com/bepsvpt/secure-headers/tree/9.0.0" - }, - "funding": [ - { - "url": "https://opencollective.com/secure-headers", - "type": "open_collective" - } - ], - "time": "2025-01-18T07:18:04+00:00" - }, { "name": "bugsnag/bugsnag", "version": "v3.29.3", @@ -3933,6 +3854,6 @@ "platform": { "php": "^8.1 | ^8.2 | ^8.3 | ^8.4" }, - "platform-dev": {}, - "plugin-api-version": "2.6.0" + "platform-dev": [], + "plugin-api-version": "2.3.0" } diff --git a/library/config.secure-headers.php b/library/config.secure-headers.php deleted file mode 100644 index d5271e3e2..000000000 --- a/library/config.secure-headers.php +++ /dev/null @@ -1,845 +0,0 @@ - '', - - /** - * X-Content-Type-Options - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options - * - * Available Value: 'nosniff' - */ - 'x-content-type-options' => 'nosniff', - - /** - * X-DNS-Prefetch-Control - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control - * - * Available Value: 'on', 'off' - */ - 'x-dns-prefetch-control' => '', - - /** - * X-Download-Options - * - * @see https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx - * - * Available Value: 'noopen' - */ - 'x-download-options' => 'noopen', - - /** - * X-Frame-Options - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options - * @deprecated The X-Frame-Options is no longer recommended for use; please use Content-Security-Policy (CSP) instead. - * - * Available Value: 'deny', 'sameorigin', 'allow-from ' - */ - 'x-frame-options' => 'sameorigin', - - /** - * X-Permitted-Cross-Domain-Policies - * - * @see https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html - * - * Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename' - */ - 'x-permitted-cross-domain-policies' => 'none', - - /** - * X-Powered-By - * - * Note: it will not add to response header if the value is empty string. - * - * Also, verify that expose_php is turned Off in php.ini. - * Otherwise, the header will still be included in the response. - * - * @see https://github.com/bepsvpt/secure-headers/issues/58#issuecomment-782332442 - */ - 'x-powered-by' => '', - - /** - * X-XSS-Protection - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection - * @deprecated The X-XSS-Protection is no longer recommended for use; please use Content-Security-Policy (CSP) instead. - * - * Available Value: '1', '0', '1; mode=block' - */ - 'x-xss-protection' => '', - - /** - * Referrer-Policy - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy - * - * Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', - * 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url' - */ - 'referrer-policy' => 'no-referrer', - - /** - * Cross-Origin-Embedder-Policy - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy - * - * Available Value: 'unsafe-none', 'require-corp', 'credentialless' - */ - 'cross-origin-embedder-policy' => 'unsafe-none', - - /** - * Cross-Origin-Opener-Policy - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy - * - * Available Value: 'unsafe-none', 'same-origin-allow-popups', 'same-origin' - */ - 'cross-origin-opener-policy' => 'unsafe-none', - - /** - * Cross-Origin-Resource-Policy - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy - * - * Available Value: 'same-site', 'same-origin', 'cross-origin' - */ - 'cross-origin-resource-policy' => 'cross-origin', - - /** - * Clear-Site-Data - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data - */ - 'clear-site-data' => [ - 'enable' => false, - - 'all' => false, - - 'cache' => true, - - 'clientHints' => true, - - 'cookies' => true, - - 'storage' => true, - - 'executionContexts' => true, - ], - - /** - * HTTP Strict Transport Security - * - * @see https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security - * - * Note: Please ensure your website had set up ssl/tls before enable hsts. - */ - 'hsts' => [ - 'enable' => false, - - 'max-age' => 31536000, - - 'include-sub-domains' => false, - - 'preload' => false, - ], - - /** - * Reporting Endpoints - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints - * - * Note: The array key is the endpoint name, and the value is the URL. - */ - 'reporting' => [ - // 'csp' => 'https://example.com/csp-reports', - // 'nel' => 'https://example.com/nel-reports', - ], - - /** - * Network Error Logging - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Network_Error_Logging - * @see https://developer.mozilla.org/en-US/docs/Web/API/Reporting_API - */ - 'nel' => [ - 'enable' => false, - - // The name of reporting API, not the endpoint URL. - 'report-to' => '', - - 'max-age' => 86400, - - 'include-subdomains' => false, - - 'success-fraction' => 0.0, - - 'failure-fraction' => 1.0, - ], - - /** - * Expect-CT - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT - * @deprecated This feature is no longer recommended. - */ - 'expect-ct' => [ - 'enable' => false, - - 'max-age' => 2147483648, - - 'enforce' => false, - - // report uri must be absolute-URI - 'report-uri' => null, - ], - - /** - * Permissions Policy - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy - */ - 'permissions-policy' => [ - 'enable' => true, - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer - 'accelerometer' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor - 'ambient-light-sensor' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/attribution-reporting - 'attribution-reporting' => [ - 'none' => false, - - '*' => true, - - 'self' => false, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay - 'autoplay' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/bluetooth - 'bluetooth' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics - 'browsing-topics' => [ - 'none' => false, - - '*' => true, - - 'self' => false, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera - 'camera' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure - 'compute-pressure' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure - 'cross-origin-isolated' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture - 'display-capture' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain - 'document-domain' => [ - 'none' => false, - - '*' => true, - - 'self' => false, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media - 'encrypted-media' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen - 'fullscreen' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad - 'gamepad' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation - 'geolocation' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope - 'gyroscope' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid - 'hid' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get - 'identity-credentials-get' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection - 'idle-detection' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/local-fonts - 'local-fonts' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer - 'magnetometer' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone - 'microphone' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi - 'midi' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/otp-credentials - 'otp-credentials' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment - 'payment' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture - 'picture-in-picture' => [ - 'none' => false, - - '*' => true, - - 'self' => false, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create - 'publickey-credentials-create' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get - 'publickey-credentials-get' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock - 'screen-wake-lock' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial - 'serial' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection - 'speaker-selection' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access - 'storage-access' => [ - 'none' => false, - - '*' => true, - - 'self' => false, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb - 'usb' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share - 'web-share' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management - 'window-management' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking - 'xr-spatial-tracking' => [ - 'none' => false, - - '*' => false, - - 'self' => true, - - 'origins' => [], - ], - ], - - /** - * Content Security Policy - * - * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP - */ - 'csp' => [ - 'enable' => true, - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only - 'report-only' => false, - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to - 'report-to' => '', - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri - 'report-uri' => [ - // uri - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content - 'block-all-mixed-content' => false, - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests - 'upgrade-insecure-requests' => false, - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri - 'base-uri' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src - 'child-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src - 'connect-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src - 'default-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src - 'fenced-frame-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src - 'font-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action - 'form-action' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors - 'frame-ancestors' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src - 'frame-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src - 'img-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src - 'manifest-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src - 'media-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src - 'object-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src - 'prefetch-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for - 'require-trusted-types-for' => [ - 'script' => false, - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox - 'sandbox' => [ - 'enable' => false, - - 'allow-downloads' => false, - - 'allow-forms' => false, - - 'allow-modals' => false, - - 'allow-orientation-lock' => false, - - 'allow-pointer-lock' => false, - - 'allow-popups' => false, - - 'allow-popups-to-escape-sandbox' => false, - - 'allow-presentation' => false, - - 'allow-same-origin' => false, - - 'allow-scripts' => false, - - 'allow-storage-access-by-user-activation' => false, - - 'allow-top-navigation' => false, - - 'allow-top-navigation-by-user-activation' => false, - - 'allow-top-navigation-to-custom-protocols' => false, - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src - 'script-src' => [ - 'none' => false, - - 'self' => false, - - 'report-sample' => false, - - 'allow' => [ - // 'url', - ], - - 'schemes' => [ - // 'data:', - // 'https:', - ], - - /* followings are only work for `script` and `style` related directives */ - - 'unsafe-inline' => false, - - 'unsafe-eval' => false, - - // https://www.w3.org/TR/CSP3/#unsafe-hashes-usage - 'unsafe-hashes' => false, - - // Enable `strict-dynamic` will *ignore* `self`, `unsafe-inline`, - // `allow` and `schemes`. You can find more information from: - // https://www.w3.org/TR/CSP3/#strict-dynamic-usage - 'strict-dynamic' => false, - - 'hashes' => [ - 'sha256' => [ - // 'sha256-hash-value-with-base64-encode', - ], - - 'sha384' => [ - // 'sha384-hash-value-with-base64-encode', - ], - - 'sha512' => [ - // 'sha512-hash-value-with-base64-encode', - ], - ], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr - 'script-src-attr' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem - 'script-src-elem' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src - 'style-src' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr - 'style-src-attr' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem - 'style-src-elem' => [ - // - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types - 'trusted-types' => [ - 'enable' => false, - - 'none' => false, - - 'allow-duplicates' => false, - - 'policies' => [ - // - ], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src - 'worker-src' => [ - // - ], - ], -];