From e714599fad99607e4d6be2acec9608f325a426f9 Mon Sep 17 00:00:00 2001
From: Timothy J Warren <tim@timshomepage.net>
Date: Thu, 13 Apr 2017 15:08:28 -0400
Subject: [PATCH] Update dependencies, and set a more locked-down content
 security policy

---
 composer.json      | 4 ++--
 src/Controller.php | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/composer.json b/composer.json
index 57ad8fa1..9e6b6ac2 100644
--- a/composer.json
+++ b/composer.json
@@ -21,7 +21,7 @@
 		"aura/router": "^3.0",
 		"aura/session": "^2.0",
 		"aviat/banker": "^1.0.0",
-		"aviat/ion": "^2.0.0",
+		"aviat/ion": "^2.1.0",
 		"monolog/monolog": "^1.0",
 		"psr/http-message": "~1.0",
 		"psr/log": "~1.0",
@@ -37,7 +37,7 @@
 		"phploc/phploc": "^3.0",
 		"phpmd/phpmd": "^2.4",
 		"phpunit/phpunit": "^6.0",
-		"robmorgan/phinx": "~0.6.4",
+		"robmorgan/phinx": "^0.8.0",
 		"consolidation/robo": "~1.0",
 		"henrikbjorn/lurker": "^1.1.0",
 		"symfony/var-dumper": "^3.2",
diff --git a/src/Controller.php b/src/Controller.php
index 5d655914..0842d2ed 100644
--- a/src/Controller.php
+++ b/src/Controller.php
@@ -239,6 +239,13 @@ class Controller {
 	 */
 	protected function renderFullPage($view, string $template, array $data)
 	{
+		$csp = [
+			"default-src 'self'",
+			"object-src 'none'",
+			"child-src 'none'",
+		];
+
+		$view->addHeader('Content-Security-Policy', implode('; ', $csp));
 		$view->appendOutput($this->loadPartial($view, 'header', $data));
 
 		if (array_key_exists('message', $data) && is_array($data['message']))