From f0291c75fb2f55cde2730b82ccbf8101f117e836 Mon Sep 17 00:00:00 2001
From: Timmy Willison <timmywil@users.noreply.github.com>
Date: Tue, 24 Dec 2024 14:28:14 -0500
Subject: [PATCH] All: add CSP report only header for all blog sites

- allow scripts, styles, and images from code.jquery.com
---
 jquery/functions.php | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/jquery/functions.php b/jquery/functions.php
index cbdaea0..8c79196 100755
--- a/jquery/functions.php
+++ b/jquery/functions.php
@@ -281,3 +281,35 @@ function twentyeleven_body_classes( $classes ) {
 	return $classes;
 }
 add_filter( 'body_class', 'twentyeleven_body_classes' );
+
+/**
+ * Content Security Policy
+ */
+function twentyeleven_content_security_policy() {
+	$report_url = 'https://csp-report-api.openjs-foundation.workers.dev/';
+	$policy = array(
+		'default-src' => "'self'",
+		'script-src' => "'self' code.jquery.com",
+		'style-src' => "'self' code.jquery.com",
+		'img-src' => "'self' code.jquery.com",
+		'object-src' => "'none'",
+		'frame-ancestors' => "'none'",
+		'block-all-mixed-content' => '',
+		'report-to' => 'csp-endpoint',
+		// Add report-uri for Firefox, which
+		// does not yet support report-to
+		'report-uri' => $report_url,
+	);
+
+	$policy = apply_filters( 'twentyeleven_content_security_policy', $policy );
+
+	$policy_string = '';
+	foreach ( $policy as $key => $value ) {
+		$policy_string .= $key . ' ' . $value . '; ';
+	}
+
+	header( 'Reporting-Endpoints: csp-endpoint="' . $report_url . '"' );
+	header( 'Content-Security-Policy-Report-Only: ' . $policy_string );
+}
+
+add_action( 'send_headers', 'twentyeleven_content_security_policy' );