src/EventListener/RequestListener.php line 9
<?php
namespace App\EventListener;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
class RequestListener
{
public function onKernelResponse(ResponseEvent $event): void
{
if (!$event->isMainRequest()) {
return;
}
if ('1' === $_ENV['FERRERO_HEADERS'] && 'test' !== $_ENV['APP_ENV']) {
$event->getResponse()->headers->add([
'X-XSS-Protection' => "1; mode=block",
'X-Frame-Options' => "DENY",
'X-Content-Type-Options' => "nosniff",
'Content-Security-Policy' => "object-src 'multimedia plugins like Adobe Flash' {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr ; script-src 'self' 'unsafe-inline' 'JavaScript code' code.jquery.com www.nutella.com static.addtoany.com www.google.com www.gstatic.com www.google.com {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr ferrero.containers.piwik.pro cdnjs.cloudflare.com www.googletagmanager.com cdn.cookielaw.org ; form-action 'self'; frame-ancestors 'self' {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']}; connect-src 'XMLHttpRequest' WebSockets EventSource {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr cdn.cookielaw.org ; font-src 'fonts' {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr fonts.gstatic.com ; frame-src 'frame' www.google.com static.addtoany.com {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr ; img-src 'images' www.nutella.com {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr sogec-marketing.web.oxv.fr www.static.ferrero.com data: cdn.cookielaw.org ; media-src 'audio/video' {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr ; style-src 'CSS sheets' {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr www.google.com fonts.googleapis.com 'unsafe-inline' cdnjs.cloudflare.com;",
'Strict-Transport-Security' => "max-age=63072000; includeSubDomains; preload;",
'Permissions-Policy' => "camera=none",
'Referrer-Policy' => "no-referrer-when-downgrade",
]);
} else {
$event->getResponse()->headers->add([
'X-XSS-Protection' => "1; mode=block",
'X-Frame-Options' => "DENY",
'X-Content-Type-Options' => "nosniff",
'Content-Security-Policy' => "object-src 'none'; script-src 'self' 'unsafe-inline' js-agent.newrelic.com code.jquery.com www.nutella.com static.addtoany.com www.google.com www.gstatic.com ; form-action 'self'; frame-ancestors 'self';",
'Strict-Transport-Security' => "max-age=63072000; includeSubDomains; preload;",
]);
}
}
}