src/EventListener/RequestListener.php line 9

  1. <?php
  3. namespace App\EventListener;
  5. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  7. class RequestListener
  8. {
  9.     public function onKernelResponse(ResponseEvent $event): void
  10.     {
  11.         if (!$event->isMainRequest()) {
  12.             return;
  13.         }
  15.         if ('1' === $_ENV['FERRERO_HEADERS'] && 'test' !== $_ENV['APP_ENV']) {
  16.             $event->getResponse()->headers->add([
  17.                 'X-XSS-Protection' => "1; mode=block",
  18.                 'X-Frame-Options' => "DENY",
  19.                 'X-Content-Type-Options' => "nosniff",
  20.                 'Content-Security-Policy' => "object-src 'multimedia plugins like Adobe Flash' {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr ; script-src  'self' 'unsafe-inline' 'JavaScript code'  code.jquery.com www.nutella.com static.addtoany.com www.google.com www.gstatic.com www.google.com {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr ferrero.containers.piwik.pro cdnjs.cloudflare.com www.googletagmanager.com cdn.cookielaw.org ; form-action 'self'; frame-ancestors 'self' {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']}; connect-src 'XMLHttpRequest' WebSockets EventSource {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr cdn.cookielaw.org ; font-src 'fonts' {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr fonts.gstatic.com  ; frame-src 'frame' www.google.com  static.addtoany.com {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr ; img-src 'images' www.nutella.com {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr sogec-marketing.web.oxv.fr www.static.ferrero.com data: cdn.cookielaw.org  ; media-src 'audio/video' {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr ; style-src 'CSS sheets' {$_ENV['RQST_CTXT_HOST']} {$_ENV['DOMAIN']} www.jeu2024.jeu-jpchenet.fr www.google.com fonts.googleapis.com 'unsafe-inline' cdnjs.cloudflare.com;",
  21.                 'Strict-Transport-Security' => "max-age=63072000; includeSubDomains; preload;",
  22.                 'Permissions-Policy' => "camera=none",
  23.                 'Referrer-Policy' => "no-referrer-when-downgrade",
  24.             ]);
  25.         } else {
  26.             $event->getResponse()->headers->add([
  27.                 'X-XSS-Protection' => "1; mode=block",
  28.                 'X-Frame-Options' => "DENY",
  29.                 'X-Content-Type-Options' => "nosniff",
  30.                 'Content-Security-Policy' => "object-src 'none'; script-src 'self' 'unsafe-inline' js-agent.newrelic.com code.jquery.com www.nutella.com  static.addtoany.com www.google.com www.gstatic.com ; form-action 'self'; frame-ancestors 'self';",
  31.                 'Strict-Transport-Security' => "max-age=63072000; includeSubDomains; preload;",
  32.             ]);
  33.         }
  34.     }
  35. }