diff --git a/src/EventSubscriber/SecKitEventSubscriber.php b/src/EventSubscriber/SecKitEventSubscriber.php
old mode 100644
new mode 100755
index 622f98a..8cd15ad
--- a/src/EventSubscriber/SecKitEventSubscriber.php
+++ b/src/EventSubscriber/SecKitEventSubscriber.php
@@ -177,6 +177,7 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
$csp_connect_src = $this->config->get('seckit_xss.csp.connect-src');
$csp_report_uri = $this->config->get('seckit_xss.csp.report-uri');
$csp_policy_uri = $this->config->get('seckit_xss.csp.policy-uri');
+ $csp_plugin_types = $this->config->get('seckit_xss.csp.plugin-types');
// Prepare directives.
$directives = [];
@@ -219,6 +220,9 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
if ($csp_report_uri) {
$directives[] = "report-uri " . base_path() . $csp_report_uri;
}
+ if ($csp_plugin_types) {
+ $directives[] = "plugin-types $csp_plugin_types";
+ }
// Merge directives.
$directives = implode('; ', $directives);
// }
diff --git a/src/Form/SecKitSettingsForm.php b/src/Form/SecKitSettingsForm.php
old mode 100644
new mode 100755
index 76d9a48..e24ee2f
--- a/src/Form/SecKitSettingsForm.php
+++ b/src/Form/SecKitSettingsForm.php
@@ -207,6 +207,15 @@ class SecKitSettingsForm extends ConfigFormBase {
'#description' => $this->t("Specify a URL (relative to the Drupal root) for a file containing the (entire) policy. All other directives will be omitted by Security Kit, as policy-uri may only be defined in the absence of other policy definitions in the X-Content-Security-Policy HTTP header. The MIME type for this URI must be text/x-content-security-policy, otherwise user-agents will enforce the policy allow 'none' instead."),
];
+ // CSP plugin-types
+ $form['seckit_xss']['csp']['plugin-types'] = array(
+ '#type' => 'textfield',
+ '#maxlength'=> 1024,
+ '#default_value' => $config->get('seckit_xss.csp.plugin-types'),
+ '#title' => 'plugin-types ',
+ '#description' => t("Defines valid MIME types for plugins invoked via <object> and <embed>. To load an <applet> you must specify application/x-java-applet."),
+ );
+
// Fieldset for X-XSS-Protection.
$form['seckit_xss']['x_xss'] = [
'#type' => 'details',
diff --git a/src/Tests/SecKitCSPCaseTest.php b/src/Tests/SecKitCSPCaseTest.php
old mode 100644
new mode 100755
index 8bcc7e1..26e7b5a
--- a/src/Tests/SecKitCSPCaseTest.php
+++ b/src/Tests/SecKitCSPCaseTest.php
@@ -79,9 +79,10 @@ class SecKitCSPCaseTest extends WebTestBase {
'seckit_xss[csp][font-src]' => '*',
'seckit_xss[csp][connect-src]' => '*',
'seckit_xss[csp][report-uri]' => $this->reportPath,
+ 'seckit_xss[csp][plugin-types]' => '*',
];
$this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
- $expected = 'default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; child-src *; font-src *; connect-src *; report-uri ' . base_path() . $this->reportPath;
+ $expected = 'default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; child-src *; font-src *; connect-src *; plugin-types *; report-uri ' . base_path() . $this->reportPath;
$this->assertEqual($expected, $this->drupalGetHeader('Content-Security-Policy'), t('Content-Security-Policy has all the directves (Official).'));
$this->assertEqual($expected, $this->drupalGetHeader('X-Content-Security-Policy'), t('X-Content-Security-Policy has all the directves (Mozilla and IE10).'));
$this->assertEqual($expected, $this->drupalGetHeader('X-WebKit-CSP'), t('X-WebKit-CSP has all the directves (Chrome and Safari).'));
@@ -143,6 +144,7 @@ class SecKitCSPCaseTest extends WebTestBase {
'seckit_xss[csp][connect-src]' => '',
'seckit_xss[csp][report-uri]' => $this->reportPath,
'seckit_xss[csp][policy-uri]' => '',
+ 'seckit_xss[csp][plugin-types]' => '',
];
$this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
$expected = "default-src self; report-uri " . base_path() . $this->reportPath;
diff --git a/src/Tests/SecKitTestCaseTest.php b/src/Tests/SecKitTestCaseTest.php
old mode 100644
new mode 100755
index e43c6b1..2d86635
--- a/src/Tests/SecKitTestCaseTest.php
+++ b/src/Tests/SecKitTestCaseTest.php
@@ -90,9 +90,10 @@ class SecKitTestCaseTest extends WebTestBase {
'seckit_xss[csp][font-src]' => '*',
'seckit_xss[csp][connect-src]' => '*',
'seckit_xss[csp][report-uri]' => $this->reportPath,
+ 'seckit_xss[csp][plugin-types]' => '*',
];
$this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
- $expected = 'default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; child-src *; font-src *; connect-src *; report-uri ' . base_path() . $this->reportPath;
+ $expected = 'default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; child-src *; font-src *; connect-src *; plugin-types *; report-uri ' . base_path() . $this->reportPath;
$this->assertEqual($expected, $this->drupalGetHeader('Content-Security-Policy'), t('Content-Security-Policy has all the directives (Official).'));
$this->assertEqual($expected, $this->drupalGetHeader('X-Content-Security-Policy'), t('X-Content-Security-Policy has all the directives (Mozilla and IE10).'));
$this->assertEqual($expected, $this->drupalGetHeader('X-WebKit-CSP'), t('X-WebKit-CSP has all the directives (Chrome and Safari).'));
@@ -153,6 +154,7 @@ class SecKitTestCaseTest extends WebTestBase {
'seckit_xss[csp][connect-src]' => '',
'seckit_xss[csp][report-uri]' => $this->reportPath,
'seckit_xss[csp][policy-uri]' => '',
+ 'seckit_xss[csp][plugin-types]' => '',
];
$this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
$expected = "default-src self; report-uri " . base_path() . $this->reportPath;