getType() === 'dir') { // If the requested path is a folder, try return its index.html. try { $fileNode = $fileNode->get('index.html'); } catch (NotFoundException $e) { return new NotFoundResponse(); } } $content = $fileNode->getContent(); $mimetype = $fileNode->getMimeType(); // Ugly hack to have exact control over the response, to e.g. prevent security middleware // messing up the CSP. TODO find a neater solution than bluntly doing header() + echo + exit. header( // Add a super strict CSP: no connectivity allowed. "Content-Security-Policy: sandbox; default-src 'none'; img-src data:; media-src data:; " . "style-src data: 'unsafe-inline'; font-src data:; frame-src data:" ); header("Content-Type: ${mimetype}"); echo $content; exit; } }