Populated CSP related directives

- Added TODO
- Copied directives from .htaccess to the ContentSecurityPolicy.php config file.
- Left CSPEnabled set to false in App.php because there is currently no CSP3 support in CI4
- Added `img-src blob:` To Content-Security-Policy header to remove error.

Signed-off-by: objecttothis <objecttothis@gmail.com>

app/Config/App.php

@@ -277,7 +277,7 @@ class App extends BaseConfig
 	 * @see http://www.html5rocks.com/en/tutorials/security/content-security-policy/
 	 * @see http://www.w3.org/TR/CSP/
 	 */
-	public bool $CSPEnabled = false;
+	public bool $CSPEnabled = false;	//TODO: Currently CSP3 tags are not supported so enabling this causes problems with script-src-elem, style-src-attr and style-src-elem
 
 	public function __construct()
 	{

app/Config/ContentSecurityPolicy.php

@@ -47,28 +47,45 @@ class ContentSecurityPolicy extends BaseConfig
      *
      * @var list<string>|string|null
      */
-    public $defaultSrc;
+    public $defaultSrc = [
+		'self',
+		'www.google.com',
+	];
 
     /**
      * Lists allowed scripts' URLs.
      *
      * @var list<string>|string
      */
-    public $scriptSrc = 'self';
+    public $scriptSrc = [
+		'self',
+		'unsafe-inline',
+		'unsafe-eval',
+		'www.google.com www.gstatic.com'
+	];
 
     /**
      * Lists allowed stylesheets' URLs.
      *
      * @var list<string>|string
      */
-    public $styleSrc = 'self';
+	public $styleSrc = [
+		'self',
+		'unsafe-inline',
+		'nonce-{csp-style-nonce}',
+		'https://fonts.googleapis.com',
+	];
 
-    /**
+	/**
      * Defines the origins from which images can be loaded.
      *
      * @var list<string>|string
      */
-    public $imageSrc = 'self';
+    public $imageSrc = [
+		'self',
+		'data:',
+		'blob:',
+	];
 
     /**
      * Restricts the URLs that can appear in a page's `<base>` element.
@@ -92,14 +109,21 @@ class ContentSecurityPolicy extends BaseConfig
      *
      * @var list<string>|string
      */
-    public $connectSrc = 'self';
+    public $connectSrc = [
+		'self',
+		'nominatim.openstreetmap.org',
+	];
 
     /**
      * Specifies the origins that can serve web fonts.
      *
      * @var list<string>|string
      */
-    public $fontSrc;
+    public $fontSrc = [
+		'self',
+		'fonts.googleapis.com',
+		'fonts.gstatic.com',
+	];
 
     /**
      * Lists valid endpoints for submission from `<form>` tags.
@@ -138,14 +162,14 @@ class ContentSecurityPolicy extends BaseConfig
      *
      * @var list<string>|string
      */
-    public $objectSrc = 'self';
+    public $objectSrc = 'none';
 
     /**
      * @var list<string>|string|null
      */
     public $manifestSrc;
 
-    /**
+     /**
      * Limits the kinds of plugins a page may invoke.
      *
      * @var list<string>|string|null

public/.htaccess

@@ -68,7 +68,7 @@ Options All -Indexes
 
 <IfModule mod_headers.c>
   Header always set X-Frame-Options "SAMEORIGIN"
-  Header add Content-Security-Policy "default-src 'self' www.google.com; connect-src 'self' nominatim.openstreetmap.org; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com www.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com; img-src 'self' data:; object-src 'none'; form-action 'self'"
+  Header add Content-Security-Policy "default-src 'self' www.google.com; connect-src 'self' nominatim.openstreetmap.org; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com www.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com; img-src 'self' data: blob:; object-src 'none'; form-action 'self'"
   Header set X-Content-Type-Options "nosniff"
   Header set X-XSS-Protection "1; mode=block"
   Header set X-Frame-Options "DENY"