MediaWiki
1.33.0
|
Public Member Functions | |
__construct ( $nonce, WebResponse $response, Config $mwConfig) | |
sendCSPHeader ( $csp, $reportOnly) | |
Send a single CSP header based on a given policy config. More... | |
Static Public Member Functions | |
static | falsePositiveBrowser ( $ua) |
Does this browser give false positive reports? More... | |
static | isNonceRequired (Config $config) |
Should we set nonce attribute. More... | |
static | sendHeaders (IContextSource $context) |
Send CSP headers based on wiki config. More... | |
Public Attributes | |
const | FULL_MODE = 2 |
const | REPORT_ONLY_MODE = 1 |
Private Member Functions | |
escapeUrlForCSP ( $url) | |
CSP spec says ',' and ';' are not allowed to appear in urls. More... | |
getAdditionalSelfUrls () | |
Get additional host names for the wiki (e.g. More... | |
getAdditionalSelfUrlsScript () | |
Get additional script sources. More... | |
getCORSSources () | |
include domains that are allowed to send us CORS requests. More... | |
getHeaderName ( $reportOnly) | |
Get the name of the HTTP header to use. More... | |
getReportUri ( $mode) | |
Get the default report uri. More... | |
makeCSPDirectives ( $policyConfig, $mode) | |
Determine what CSP policies to set for this page. More... | |
prepareUrlForCSP ( $url) | |
Given a url, convert to form needed for CSP. More... | |
Private Attributes | |
Config | $mwConfig |
The site configuration object. More... | |
string | $nonce |
The nonce to use for inline scripts (from OutputPage) More... | |
WebResponse | $response |
Definition at line 27 of file ContentSecurityPolicy.php.
ContentSecurityPolicy::__construct | ( | $nonce, | |
WebResponse | $response, | ||
Config | $mwConfig | ||
) |
string | $nonce | |
WebResponse | $response | |
Config | $mwConfig |
Definition at line 43 of file ContentSecurityPolicy.php.
|
private |
CSP spec says ',' and ';' are not allowed to appear in urls.
string | $url | URL (or possibly just part of one) |
Definition at line 452 of file ContentSecurityPolicy.php.
Referenced by getReportUri(), makeCSPDirectives(), and prepareUrlForCSP().
|
static |
Does this browser give false positive reports?
Some versions of firefox (40-42) incorrectly report a csp violation for nonce sources, despite allowing them.
string | $ua | User-agent header |
Definition at line 470 of file ContentSecurityPolicy.php.
Referenced by ApiCSPReport\getFlags(), and ContentSecurityPolicyTest\testFalsePositiveBrowser().
|
private |
Get additional host names for the wiki (e.g.
if static content loaded elsewhere)
Definition at line 369 of file ContentSecurityPolicy.php.
References $path, $value, as, prepareUrlForCSP(), and RepoGroup\singleton().
Referenced by makeCSPDirectives().
|
private |
Get additional script sources.
Definition at line 338 of file ContentSecurityPolicy.php.
References $path, $value, as, and prepareUrlForCSP().
Referenced by makeCSPDirectives().
|
private |
include domains that are allowed to send us CORS requests.
Technically, $wgCrossSiteAJAXdomains lists things that are allowed to talk to us not things that we are allowed to talk to - but if something is allowed to talk to us, then there is a good chance that we should probably be allowed to talk to it.
This is configurable with the 'includeCORS' key in the CSP config, and enabled by default.
Definition at line 429 of file ContentSecurityPolicy.php.
References $source, as, and prepareUrlForCSP().
Referenced by makeCSPDirectives().
|
private |
Get the name of the HTTP header to use.
int | $reportOnly | Either self::REPORT_ONLY_MODE or self::FULL_MODE |
UnexpectedValueException |
Definition at line 103 of file ContentSecurityPolicy.php.
Referenced by sendCSPHeader().
|
private |
Get the default report uri.
int | $mode | self::*_MODE constant. |
UnexpectedValueException | if given invalid mode. |
Definition at line 272 of file ContentSecurityPolicy.php.
References escapeUrlForCSP(), wfAppendQuery(), and wfScript().
Referenced by makeCSPDirectives().
|
static |
Should we set nonce attribute.
Config | $config | Configuration object |
Definition at line 480 of file ContentSecurityPolicy.php.
References as, and Config\get().
Referenced by ContentSecurityPolicyTest\testCSPIsEnabled().
|
private |
Determine what CSP policies to set for this page.
array | bool | $policyConfig | Policy configuration (Either $wgCSPHeader or $wgCSPReportOnlyHeader) |
int | $mode | self::REPORT_ONLY_MODE, self::FULL_MODE |
Definition at line 122 of file ContentSecurityPolicy.php.
References $mwConfig, as, escapeUrlForCSP(), Config\get(), getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), getCORSSources(), getReportUri(), Hooks\run(), and wfMessage().
Referenced by sendCSPHeader().
|
private |
Given a url, convert to form needed for CSP.
Currently this does either scheme + host, or if protocol relative, just the host. Future versions could potentially preserve some of the path, if its determined that that would be a good idea.
string | $url |
Definition at line 305 of file ContentSecurityPolicy.php.
References escapeUrlForCSP(), and wfParseUrl().
Referenced by getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), and getCORSSources().
ContentSecurityPolicy::sendCSPHeader | ( | $csp, | |
$reportOnly | |||
) |
Send a single CSP header based on a given policy config.
array | $csp | ContentSecurityPolicy configuration |
int | $reportOnly | self::*_MODE constant |
Definition at line 56 of file ContentSecurityPolicy.php.
References getHeaderName(), and makeCSPDirectives().
|
static |
Send CSP headers based on wiki config.
Main method that callers are expected to use
IContextSource | $context | A context object, the associated OutputPage object must be the one that the page in question was generated with. |
Definition at line 73 of file ContentSecurityPolicy.php.
|
private |
The site configuration object.
Definition at line 34 of file ContentSecurityPolicy.php.
Referenced by __construct(), and makeCSPDirectives().
|
private |
The nonce to use for inline scripts (from OutputPage)
Definition at line 32 of file ContentSecurityPolicy.php.
Referenced by __construct().
|
private |
Definition at line 36 of file ContentSecurityPolicy.php.
Referenced by __construct().
const ContentSecurityPolicy::FULL_MODE = 2 |
Definition at line 29 of file ContentSecurityPolicy.php.
Referenced by ContentSecurityPolicyTest\testGetHeaderName(), ContentSecurityPolicyTest\testGetReportUri(), ContentSecurityPolicyTest\testMakeCSPDirectives(), and ContentSecurityPolicyTest\testMakeCSPDirectivesImage().
const ContentSecurityPolicy::REPORT_ONLY_MODE = 1 |