Use standalone switch for CSP

pabzm · pabzm · commit 112bc970817e · 2025-02-03T17:17:49.000+01:00
diff --git a/plugins/help/help.php b/plugins/help/help.php
@@ -78,7 +78,7 @@ public function action()
             'tablink' => [$this, 'tablink'],
         ]);
 
-        $rcmail->output->set_env('safemode', true);
+        $rcmail->output->csp_allow_remote_ressources = true;
         $rcmail->output->set_env('help_links', $this->help_metadata());
         $rcmail->output->send(!empty($_GET['_content']) ? 'help.content' : 'help.help');
     }
diff --git a/program/actions/mail/compose.php b/program/actions/mail/compose.php
@@ -683,7 +683,7 @@ public static function prepare_message_body()
         // We can't depend the "safemode" on the message being HTML or not
         // because the user might want to change the editor after loading the
         // page, and then add remote ressources.
-        $rcmail->output->set_env('safemode', true);
+        $rcmail->output->csp_allow_remote_ressources = true;
 
         return $body;
     }
diff --git a/program/actions/settings/identity_edit.php b/program/actions/settings/identity_edit.php
@@ -75,7 +75,7 @@ public function run($args = [])
             $rcmail->output->send('identityadd');
         }
 
-        $rcmail->output->set_env('safemode', true);
+        $rcmail->output->csp_allow_remote_ressources = true;
         $rcmail->output->send('identityedit');
     }
 
diff --git a/program/actions/settings/response_edit.php b/program/actions/settings/response_edit.php
@@ -46,7 +46,7 @@ public function run($args = [])
 
         $rcmail->output->set_pagetitle($title);
         $rcmail->output->set_env('readonly', !empty(self::$response['static']));
-        $rcmail->output->set_env('safemode', true);
+        $rcmail->output->csp_allow_remote_ressources = true;
         $rcmail->output->add_handler('responseform', [$this, 'response_form']);
         $rcmail->output->send('responseedit');
     }
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
@@ -23,6 +23,7 @@
 class rcmail_output_html extends rcmail_output
 {
     public $type = 'html';
+    public $csp_allow_remote_ressources = false;
 
     protected $message;
     protected $template_name;
@@ -2729,7 +2730,7 @@ protected function add_csp_header(): void
         $csp = $this->get_csp_value('content_security_policy');
         if ($csp !== false) {
             $csp_parts = [$csp];
-            if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
+            if ($this->csp_allow_remote_ressources || (isset($this->env['safemode']) && $this->env['safemode'] === true)) {
                 $csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote');
                 if ($csp_allow_remote !== false) {
                     $csp_parts[] = $csp_allow_remote;

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ public function action()`
`78`	`78`	`'tablink' => [$this, 'tablink'],`
`79`	`79`	`]);`
`80`	`80`
`81`		`- $rcmail->output->set_env('safemode', true);`
	`81`	`+ $rcmail->output->csp_allow_remote_ressources = true;`
`82`	`82`	`$rcmail->output->set_env('help_links', $this->help_metadata());`
`83`	`83`	`$rcmail->output->send(!empty($_GET['_content']) ? 'help.content' : 'help.help');`
`84`	`84`	`}`
Original file line number	Diff line number	Diff line change
`@@ -683,7 +683,7 @@ public static function prepare_message_body()`
`683`	`683`	`// We can't depend the "safemode" on the message being HTML or not`
`684`	`684`	`// because the user might want to change the editor after loading the`
`685`	`685`	`// page, and then add remote ressources.`
`686`		`- $rcmail->output->set_env('safemode', true);`
	`686`	`+ $rcmail->output->csp_allow_remote_ressources = true;`
`687`	`687`
`688`	`688`	`return $body;`
`689`	`689`	`}`
Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ public function run($args = [])`
`75`	`75`	`$rcmail->output->send('identityadd');`
`76`	`76`	`}`
`77`	`77`
`78`		`- $rcmail->output->set_env('safemode', true);`
	`78`	`+ $rcmail->output->csp_allow_remote_ressources = true;`
`79`	`79`	`$rcmail->output->send('identityedit');`
`80`	`80`	`}`
`81`	`81`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ public function run($args = [])`
`46`	`46`
`47`	`47`	`$rcmail->output->set_pagetitle($title);`
`48`	`48`	`$rcmail->output->set_env('readonly', !empty(self::$response['static']));`
`49`		`- $rcmail->output->set_env('safemode', true);`
	`49`	`+ $rcmail->output->csp_allow_remote_ressources = true;`
`50`	`50`	`$rcmail->output->add_handler('responseform', [$this, 'response_form']);`
`51`	`51`	`$rcmail->output->send('responseedit');`
`52`	`52`	`}`