*/ class AddContentSecurityPolicyListener implements IEventListener { public function __construct( private IRequest $request, private AppConfig $config, private CapabilitiesService $capabilitiesService, ) { } #[\Override] public function handle(Event $event): void { if (!$event instanceof AddContentSecurityPolicyEvent) { return; } if (!$this->isPageLoad()) { return; } $policy = new EmptyContentSecurityPolicy(); $policy->addAllowedFrameDomain("'self'"); $policy->addAllowedFrameDomain('nc:'); if ($this->capabilitiesService->hasWASMSupport()) { $policy->allowEvalWasm(true); } foreach ($this->config->getDomainList() as $url) { $policy->addAllowedFrameDomain($url); $policy->addAllowedFormActionDomain($url); $policy->addAllowedFrameAncestorDomain($url); $policy->addAllowedImageDomain($url); } if ($this->isSettingsPage()) { $policy->addAllowedConnectDomain('*'); } $event->addPolicy($policy); } private function isPageLoad(): bool { $scriptNameParts = explode('/', $this->request->getScriptName()); return end($scriptNameParts) === 'index.php'; } private function isSettingsPage(): bool { return str_starts_with($this->request->getPathInfo(), '/settings/admin/richdocuments'); } }