Public Member Functions | |
| __construct ( $nonce, WebResponse $response, Config $mwConfig) | |
| sendCSPHeader ( $csp, $reportOnly) | |
| Send a single CSP header based on a given policy config. More... | |
Static Public Member Functions | |
| static | falsePositiveBrowser ( $ua) |
| Does this browser give false positive reports? More... | |
| static | isNonceRequired (Config $config) |
| Should we set nonce attribute. More... | |
| static | sendHeaders (IContextSource $context) |
| Send CSP headers based on wiki config. More... | |
Public Attributes | |
| const | FULL_MODE = 2 |
| const | REPORT_ONLY_MODE = 1 |
Private Member Functions | |
| escapeUrlForCSP ( $url) | |
| CSP spec says ',' and ';' are not allowed to appear in urls. More... | |
| getAdditionalSelfUrls () | |
| Get additional host names for the wiki (e.g. More... | |
| getAdditionalSelfUrlsScript () | |
| Get additional script sources. More... | |
| getCORSSources () | |
| include domains that are allowed to send us CORS requests. More... | |
| getHeaderName ( $reportOnly) | |
| Get the name of the HTTP header to use. More... | |
| getReportUri ( $mode) | |
| Get the default report uri. More... | |
| makeCSPDirectives ( $policyConfig, $mode) | |
| Determine what CSP policies to set for this page. More... | |
| prepareUrlForCSP ( $url) | |
| Given a url, convert to form needed for CSP. More... | |
Private Attributes | |
| Config | $mwConfig |
| The site configuration object. More... | |
| string | $nonce |
| The nonce to use for inline scripts (from OutputPage) More... | |
| WebResponse | $response |
Detailed Description
Definition at line 27 of file ContentSecurityPolicy.php.
Constructor & Destructor Documentation
◆ __construct()
| ContentSecurityPolicy::__construct | ( | $nonce, | |
| WebResponse | $response, | ||
| Config | $mwConfig | ||
| ) |
- Parameters
-
string $nonce WebResponse $response Config $mwConfig
Definition at line 43 of file ContentSecurityPolicy.php.
Member Function Documentation
◆ escapeUrlForCSP()
|
private |
CSP spec says ',' and ';' are not allowed to appear in urls.
- Note
- This assumes that normal escaping has been applied to the url
- Parameters
-
string $url URL (or possibly just part of one)
- Returns
- string
Definition at line 452 of file ContentSecurityPolicy.php.
Referenced by getReportUri(), makeCSPDirectives(), and prepareUrlForCSP().
◆ falsePositiveBrowser()
|
static |
Does this browser give false positive reports?
Some versions of firefox (40-42) incorrectly report a csp violation for nonce sources, despite allowing them.
- Parameters
-
string $ua User-agent header
- Returns
- bool
Definition at line 470 of file ContentSecurityPolicy.php.
Referenced by ApiCSPReport\getFlags().
◆ getAdditionalSelfUrls()
|
private |
Get additional host names for the wiki (e.g.
if static content loaded elsewhere)
- Note
- These are general load sources, not script sources
- Returns
- array Array of other urls for wiki (for use in default-src)
Definition at line 369 of file ContentSecurityPolicy.php.
References $path, $urls, prepareUrlForCSP(), and RepoGroup\singleton().
Referenced by makeCSPDirectives().
◆ getAdditionalSelfUrlsScript()
|
private |
Get additional script sources.
- Returns
- array Additional sources for loading scripts from
Definition at line 338 of file ContentSecurityPolicy.php.
References $path, and prepareUrlForCSP().
Referenced by makeCSPDirectives().
◆ getCORSSources()
|
private |
include domains that are allowed to send us CORS requests.
Technically, $wgCrossSiteAJAXdomains lists things that are allowed to talk to us not things that we are allowed to talk to - but if something is allowed to talk to us, then there is a good chance that we should probably be allowed to talk to it.
This is configurable with the 'includeCORS' key in the CSP config, and enabled by default.
- Note
- CORS domains with single character ('?') wildcards, are not included.
- Returns
- array Additional hosts
Definition at line 429 of file ContentSecurityPolicy.php.
References $source, and prepareUrlForCSP().
Referenced by makeCSPDirectives().
◆ getHeaderName()
|
private |
Get the name of the HTTP header to use.
- Parameters
-
int $reportOnly Either self::REPORT_ONLY_MODE or self::FULL_MODE
- Returns
- string Name of http header
- Exceptions
-
UnexpectedValueException
Definition at line 103 of file ContentSecurityPolicy.php.
Referenced by sendCSPHeader().
◆ getReportUri()
|
private |
Get the default report uri.
- Parameters
-
int $mode self::*_MODE constant.
- Returns
- string The URI to send reports to.
- Exceptions
-
UnexpectedValueException if given invalid mode.
Definition at line 272 of file ContentSecurityPolicy.php.
References escapeUrlForCSP(), wfAppendQuery(), and wfScript().
Referenced by makeCSPDirectives().
◆ isNonceRequired()
|
static |
Should we set nonce attribute.
- Parameters
-
Config $config Configuration object
- Returns
- bool
Definition at line 480 of file ContentSecurityPolicy.php.
References Config\get().
Referenced by OutputPage\getCSPNonce(), Html\inlineScript(), and Html\linkedScript().
◆ makeCSPDirectives()
|
private |
Determine what CSP policies to set for this page.
- Parameters
-
array | bool $policyConfig Policy configuration (Either $wgCSPHeader or $wgCSPReportOnlyHeader) int $mode self::REPORT_ONLY_MODE, self::FULL_MODE
- Returns
- string Policy directives, or empty string for no policy.
Definition at line 122 of file ContentSecurityPolicy.php.
References $mwConfig, escapeUrlForCSP(), Config\get(), getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), getCORSSources(), getReportUri(), Hooks\run(), and wfMessage().
Referenced by sendCSPHeader().
◆ prepareUrlForCSP()
|
private |
Given a url, convert to form needed for CSP.
Currently this does either scheme + host, or if protocol relative, just the host. Future versions could potentially preserve some of the path, if its determined that that would be a good idea.
- Note
- This does the extra escaping for CSP, but assumes the url has already had normal url escaping applied.
- This discards urls same as server name, as 'self' directive takes care of that.
- Parameters
-
string $url
- Returns
- string|bool Converted url or false on failure
Definition at line 305 of file ContentSecurityPolicy.php.
References escapeUrlForCSP(), and wfParseUrl().
Referenced by getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), and getCORSSources().
◆ sendCSPHeader()
| ContentSecurityPolicy::sendCSPHeader | ( | $csp, | |
| $reportOnly | |||
| ) |
Send a single CSP header based on a given policy config.
- Note
- Most callers will probably want ContentSecurityPolicy::sendHeaders() instead.
- Parameters
-
array $csp ContentSecurityPolicy configuration int $reportOnly self::*_MODE constant
Definition at line 56 of file ContentSecurityPolicy.php.
References getHeaderName(), and makeCSPDirectives().
◆ sendHeaders()
|
static |
Send CSP headers based on wiki config.
Main method that callers are expected to use
- Parameters
-
IContextSource $context A context object, the associated OutputPage object must be the one that the page in question was generated with.
Definition at line 73 of file ContentSecurityPolicy.php.
References $context.
Referenced by OutputPage\output().
Member Data Documentation
◆ $mwConfig
|
private |
The site configuration object.
Definition at line 34 of file ContentSecurityPolicy.php.
Referenced by __construct(), and makeCSPDirectives().
◆ $nonce
|
private |
The nonce to use for inline scripts (from OutputPage)
Definition at line 32 of file ContentSecurityPolicy.php.
Referenced by __construct().
◆ $response
|
private |
Definition at line 36 of file ContentSecurityPolicy.php.
Referenced by __construct().
◆ FULL_MODE
| const ContentSecurityPolicy::FULL_MODE = 2 |
Definition at line 29 of file ContentSecurityPolicy.php.
◆ REPORT_ONLY_MODE
| const ContentSecurityPolicy::REPORT_ONLY_MODE = 1 |
Definition at line 28 of file ContentSecurityPolicy.php.
The documentation for this class was generated from the following file:
- includes/ContentSecurityPolicy.php
