Perch-compatible Content Security Policy needed

  • I saw a post some time ago, I think, in the now-defunct old Perch forum.


    Somebody posted a chunk of code that would be in the htaccess file - a content security policy that would mean Perch CMS would still function.


    Would any of the kind people in the Perch Community like to reply with the csp that would mean 'unsafe-inline' in script and styles don't have to be included?

  • Mikeymu, you're in luck... if you're willing to make some adjustments to Perch's core files.

    This is part of my CSP and should provide you everything you need for the login and dashboard.

    I'm generating nonces in .htaccess but you can modify the below to whatever your situation is.

    Once you've done this, go to the /perch/config/config.php and define a constant with the nonce value:

    Code
    1. define('SECURITY_NONCE', $_SERVER[X_HTTP_NONCE]);

    Then you're going to go into /perch/core/ and you're going to modify those inline <script> and <style> tags in /perch/core/layout/top.php and /perch/core/layout/login/top.php adding the nonce attribute and echoing your constant:

    PHP
    1. <style nonce="<?php echo(SECURITY_NONCE); ?>"></style>
    2. <script nonce="<?php echo(SECURITY_NONCE); ?>"></script>

    There is a caveat in that anytime there's an update you will have to make these modifications again. Hopefully, this helps. If you have any questions, don't hesitate.

    Gareth S