Add additional CSP header values only if present

If people write a lax default CSP they might set the additional config option to the blank string, or false. Then the CSP header should not contain that value.
roundcube · Oct 29, 2024 · feb8e9f · feb8e9f
1 parent 6f00ac2
commit feb8e9f
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
@@ -2731,7 +2731,9 @@ protected function add_csp_header(): void
             $csp_header = "Content-Security-Policy: {$csp}";
             if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
                 $csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote');
-                $csp_header .= "; {$csp_allow_remote}";
+                if (!in_array($csp_allow_remote, ['', false, 'false', null])) {
+                    $csp_header .= "; {$csp_allow_remote}";
+                }
             }
             $this->header($csp_header);
         }