MediaWiki REL1_32
ContentSecurityPolicy.php
Go to the documentation of this file.
1<?php
27class ContentSecurityPolicy {
28 const REPORT_ONLY_MODE = 1;
29 const FULL_MODE = 2;
30
32 private $nonce;
34 private $mwConfig;
36 private $response;
37
43 public function __construct( $nonce, WebResponse $response, Config $mwConfig ) {
44 $this->nonce = $nonce;
45 $this->response = $response;
46 $this->mwConfig = $mwConfig;
47 }
48
56 public function sendCSPHeader( $csp, $reportOnly ) {
57 $policy = $this->makeCSPDirectives( $csp, $reportOnly );
58 $headerName = $this->getHeaderName( $reportOnly );
59 if ( $policy ) {
60 $this->response->header(
61 "$headerName: $policy"
62 );
63 }
64 }
65
73 public static function sendHeaders( IContextSource $context ) {
74 $out = $context->getOutput();
75 $csp = new ContentSecurityPolicy(
76 $out->getCSPNonce(),
77 $context->getRequest()->response(),
78 $context->getConfig()
79 );
80
81 $cspConfig = $context->getConfig()->get( 'CSPHeader' );
82 $cspConfigReportOnly = $context->getConfig()->get( 'CSPReportOnlyHeader' );
83
84 $csp->sendCSPHeader( $cspConfig, self::FULL_MODE );
85 $csp->sendCSPHeader( $cspConfigReportOnly, self::REPORT_ONLY_MODE );
86
87 // This used to insert a <meta> tag here, per advice at
88 // https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/
89 // The goal was to prevent nonce from working after the page hit onready,
90 // This would help in old browsers that didn't support nonces, and
91 // also assist for varnish-cached pages which repeat nonces.
92 // However, this is incompatible with how resource loader storage works
93 // via mw.domEval() so it was removed.
94 }
95
102 private function getHeaderName( $reportOnly ) {
103 if ( $reportOnly === self::REPORT_ONLY_MODE ) {
104 return 'Content-Security-Policy-Report-Only';
105 } elseif ( $reportOnly === self::FULL_MODE ) {
106 return 'Content-Security-Policy';
107 }
108 throw new UnexpectedValueException( $reportOnly );
109 }
110
118 private function makeCSPDirectives( $policyConfig, $mode ) {
119 if ( $policyConfig === false ) {
120 // CSP is disabled
121 return '';
122 }
123 if ( $policyConfig === true ) {
124 $policyConfig = [];
125 }
126
127 $mwConfig = $this->mwConfig;
128
129 $additionalSelfUrls = $this->getAdditionalSelfUrls();
130 $additionalSelfUrlsScript = $this->getAdditionalSelfUrlsScript();
131
132 // If no default-src is sent at all, it
133 // seems browsers (or at least some), interpret
134 // that as allow anything, but the spec seems
135 // to imply that data: and blob: should be
136 // blocked.
137 $defaultSrc = [ '*', 'data:', 'blob:' ];
138
139 $cssSrc = false;
140 $imgSrc = false;
141 $scriptSrc = [ "'unsafe-eval'", "'self'" ];
142 if ( !isset( $policyConfig['useNonces'] ) || $policyConfig['useNonces'] ) {
143 $scriptSrc[] = "'nonce-" . $this->nonce . "'";
144 }
145
146 $scriptSrc = array_merge( $scriptSrc, $additionalSelfUrlsScript );
147 if ( isset( $policyConfig['script-src'] )
148 && is_array( $policyConfig['script-src'] )
149 ) {
150 foreach ( $policyConfig['script-src'] as $src ) {
151 $scriptSrc[] = $this->escapeUrlForCSP( $src );
152 }
153 }
154 // Note: default on if unspecified.
155 if ( ( !isset( $policyConfig['unsafeFallback'] )
156 || $policyConfig['unsafeFallback'] )
157 ) {
158 // unsafe-inline should be ignored on browsers
159 // that support 'nonce-foo' sources.
160 // Some older versions of firefox don't follow this
161 // rule, but new browsers do. (Should be for at least
162 // firefox 40+).
163 $scriptSrc[] = "'unsafe-inline'";
164 }
165 // If default source option set to true or
166 // an array of urls, set a restrictive default-src.
167 // If set to false, we send a lenient default-src,
168 // see the code above where $defaultSrc is set initially.
169 if ( isset( $policyConfig['default-src'] )
170 && $policyConfig['default-src'] !== false
171 ) {
172 $defaultSrc = array_merge(
173 [ "'self'", 'data:', 'blob:' ],
174 $additionalSelfUrls
175 );
176 if ( is_array( $policyConfig['default-src'] ) ) {
177 foreach ( $policyConfig['default-src'] as $src ) {
178 $defaultSrc[] = $this->escapeUrlForCSP( $src );
179 }
180 }
181 }
182
183 if ( !isset( $policyConfig['includeCORS'] ) || $policyConfig['includeCORS'] ) {
184 $CORSUrls = $this->getCORSSources();
185 if ( !in_array( '*', $defaultSrc ) ) {
186 $defaultSrc = array_merge( $defaultSrc, $CORSUrls );
187 }
188 // Unlikely to have * in scriptSrc, but doesn't
189 // hurt to check.
190 if ( !in_array( '*', $scriptSrc ) ) {
191 $scriptSrc = array_merge( $scriptSrc, $CORSUrls );
192 }
193 }
194
195 Hooks::run( 'ContentSecurityPolicyDefaultSource', [ &$defaultSrc, $policyConfig, $mode ] );
196 Hooks::run( 'ContentSecurityPolicyScriptSource', [ &$scriptSrc, $policyConfig, $mode ] );
197
198 // Check if array just in case the hook made it false
199 if ( is_array( $defaultSrc ) ) {
200 $cssSrc = array_merge( $defaultSrc, [ "'unsafe-inline'" ] );
201 }
202
203 if ( isset( $policyConfig['report-uri'] ) && $policyConfig['report-uri'] !== true ) {
204 if ( $policyConfig['report-uri'] === false ) {
205 $reportUri = false;
206 } else {
207 $reportUri = $this->escapeUrlForCSP( $policyConfig['report-uri'] );
208 }
209 } else {
210 $reportUri = $this->getReportUri( $mode );
211 }
212
213 // Only send an img-src, if we're sending a restricitve default.
214 if ( !is_array( $defaultSrc )
215 || !in_array( '*', $defaultSrc )
216 || !in_array( 'data:', $defaultSrc )
217 || !in_array( 'blob:', $defaultSrc )
218 ) {
219 // A future todo might be to make the whitelist options only
220 // add all the whitelisted sites to the header, instead of
221 // allowing all (Assuming there is a small number of sites).
222 // For now, the external image feature disables the limits
223 // CSP puts on external images.
224 if ( $mwConfig->get( 'AllowExternalImages' )
225 || $mwConfig->get( 'AllowExternalImagesFrom' )
226 || $mwConfig->get( 'AllowImageTag' )
227 ) {
228 $imgSrc = [ '*', 'data:', 'blob:' ];
229 } elseif ( $mwConfig->get( 'EnableImageWhitelist' ) ) {
230 $whitelist = wfMessage( 'external_image_whitelist' )
231 ->inContentLanguage()
232 ->plain();
233 if ( preg_match( '/^\s*[^\s#]/m', $whitelist ) ) {
234 $imgSrc = [ '*', 'data:', 'blob:' ];
235 }
236 }
237 }
238
239 $directives = [];
240 if ( $scriptSrc ) {
241 $directives[] = 'script-src ' . implode( ' ', $scriptSrc );
242 }
243 if ( $defaultSrc ) {
244 $directives[] = 'default-src ' . implode( ' ', $defaultSrc );
245 }
246 if ( $cssSrc ) {
247 $directives[] = 'style-src ' . implode( ' ', $cssSrc );
248 }
249 if ( $imgSrc ) {
250 $directives[] = 'img-src ' . implode( ' ', $imgSrc );
251 }
252 if ( $reportUri ) {
253 $directives[] = 'report-uri ' . $reportUri;
254 }
255
256 Hooks::run( 'ContentSecurityPolicyDirectives', [ &$directives, $policyConfig, $mode ] );
257
258 return implode( '; ', $directives );
259 }
260
268 private function getReportUri( $mode ) {
269 $apiArguments = [
270 'action' => 'cspreport',
271 'format' => 'json'
272 ];
273 if ( $mode === self::REPORT_ONLY_MODE ) {
274 $apiArguments['reportonly'] = '1';
275 }
276 $reportUri = wfAppendQuery( wfScript( 'api' ), $apiArguments );
277
278 // Per spec, ';' and ',' must be hex-escaped in report uri
279 // Also add an & at the end of url to work around bug in hhvm
280 // with handling of POST parameters when always_decode_post_data
281 // is set to true. See https://github.com/facebook/hhvm/issues/6676
282 $reportUri = $this->escapeUrlForCSP( $reportUri ) . '&';
283 return $reportUri;
284 }
285
301 private function prepareUrlForCSP( $url ) {
302 $result = false;
303 if ( preg_match( '/^[a-z][a-z0-9+.-]*:$/i', $url ) ) {
304 // A schema source (e.g. blob: or data:)
305 return $url;
306 }
307 $bits = wfParseUrl( $url );
308 if ( !$bits && strpos( $url, '/' ) === false ) {
309 // probably something like example.com.
310 // try again protocol-relative.
311 $url = '//' . $url;
312 $bits = wfParseUrl( $url );
313 }
314 if ( $bits && isset( $bits['host'] )
315 && $bits['host'] !== $this->mwConfig->get( 'ServerName' )
316 ) {
317 $result = $bits['host'];
318 if ( $bits['scheme'] !== '' ) {
319 $result = $bits['scheme'] . $bits['delimiter'] . $result;
320 }
321 if ( isset( $bits['port'] ) ) {
322 $result .= ':' . $bits['port'];
323 }
324 $result = $this->escapeUrlForCSP( $result );
325 }
326 return $result;
327 }
328
334 private function getAdditionalSelfUrlsScript() {
335 $additionalUrls = [];
336 // wgExtensionAssetsPath for ?debug=true mode
337 $pathVars = [ 'LoadScript', 'ExtensionAssetsPath', 'ResourceBasePath' ];
338
339 foreach ( $pathVars as $path ) {
340 $url = $this->mwConfig->get( $path );
341 $preparedUrl = $this->prepareUrlForCSP( $url );
342 if ( $preparedUrl ) {
343 $additionalUrls[] = $preparedUrl;
344 }
345 }
346 $RLSources = $this->mwConfig->get( 'ResourceLoaderSources' );
347 foreach ( $RLSources as $wiki => $sources ) {
348 foreach ( $sources as $id => $value ) {
349 $url = $this->prepareUrlForCSP( $value );
350 if ( $url ) {
351 $additionalUrls[] = $url;
352 }
353 }
354 }
355
356 return array_unique( $additionalUrls );
357 }
358
365 private function getAdditionalSelfUrls() {
366 // XXX on a foreign repo, the included description page can have anything on it,
367 // including inline scripts. But nobody sane does that.
368
369 // In principle, you can have even more complex configs... (e.g. The urlsByExt option)
370 $pathUrls = [];
371 $additionalSelfUrls = [];
372
373 // Future todo: The zone urls should never go into
374 // style-src. They should either be only in img-src, or if
375 // img-src unspecified they should be in default-src. Similarly,
376 // the DescriptionStylesheetUrl only needs to be in style-src
377 // (or default-src if style-src unspecified).
378 $callback = function ( $repo, &$urls ) {
379 $urls[] = $repo->getZoneUrl( 'public' );
380 $urls[] = $repo->getZoneUrl( 'transcoded' );
381 $urls[] = $repo->getZoneUrl( 'thumb' );
382 $urls[] = $repo->getDescriptionStylesheetUrl();
383 };
384 $localRepo = RepoGroup::singleton()->getRepo( 'local' );
385 $callback( $localRepo, $pathUrls );
386 RepoGroup::singleton()->forEachForeignRepo( $callback, [ &$pathUrls ] );
387
388 // Globals that might point to a different domain
389 $pathGlobals = [ 'LoadScript', 'ExtensionAssetsPath', 'StylePath', 'ResourceBasePath' ];
390 foreach ( $pathGlobals as $path ) {
391 $pathUrls[] = $this->mwConfig->get( $path );
392 }
393 foreach ( $pathUrls as $path ) {
394 $preparedUrl = $this->prepareUrlForCSP( $path );
395 if ( $preparedUrl !== false ) {
396 $additionalSelfUrls[] = $preparedUrl;
397 }
398 }
399 $RLSources = $this->mwConfig->get( 'ResourceLoaderSources' );
400
401 foreach ( $RLSources as $wiki => $sources ) {
402 foreach ( $sources as $id => $value ) {
403 $url = $this->prepareUrlForCSP( $value );
404 if ( $url ) {
405 $additionalSelfUrls[] = $url;
406 }
407 }
408 }
409
410 return array_unique( $additionalSelfUrls );
411 }
412
425 private function getCORSSources() {
426 $additionalUrls = [];
427 $CORSSources = $this->mwConfig->get( 'CrossSiteAJAXdomains' );
428 foreach ( $CORSSources as $source ) {
429 if ( strpos( $source, '?' ) !== false ) {
430 // CSP doesn't support single char wildcard
431 continue;
432 }
433 $url = $this->prepareUrlForCSP( $source );
434 if ( $url ) {
435 $additionalUrls[] = $url;
436 }
437 }
438 return $additionalUrls;
439 }
440
448 private function escapeUrlForCSP( $url ) {
449 return str_replace(
450 [ ';', ',' ],
451 [ '%3B', '%2C' ],
452 $url
453 );
454 }
455
466 public static function falsePositiveBrowser( $ua ) {
467 return (bool)preg_match( '!Firefox/4[0-2]\.!', $ua );
468 }
469
476 public static function isNonceRequired( Config $config ) {
477 $configs = [
478 $config->get( 'CSPHeader' ),
479 $config->get( 'CSPReportOnlyHeader' )
480 ];
481 foreach ( $configs as $headerConfig ) {
482 if (
483 $headerConfig === true ||
484 ( is_array( $headerConfig ) &&
485 !isset( $headerConfig['useNonces'] ) ) ||
486 ( is_array( $headerConfig ) &&
487 isset( $headerConfig['useNonces'] ) &&
488 $headerConfig['useNonces'] )
489 ) {
490 return true;
491 }
492 }
493 return false;
494 }
495}
wfParseUrl
wfParseUrl( $url)
parse_url() work-alike, but non-broken.
Definition GlobalFunctions.php:814
wfAppendQuery
wfAppendQuery( $url, $query)
Append a query string to an existing URL, which may or may not already have query string parameters a...
Definition GlobalFunctions.php:460
wfScript
wfScript( $script='index')
Get the path to a specified script file, respecting file extensions; this is a wrapper around $wgScri...
Definition GlobalFunctions.php:2783
ContentSecurityPolicy\getAdditionalSelfUrls
getAdditionalSelfUrls()
Get additional host names for the wiki (e.g.
Definition ContentSecurityPolicy.php:365
ContentSecurityPolicy\__construct
__construct( $nonce, WebResponse $response, Config $mwConfig)
Definition ContentSecurityPolicy.php:43
ContentSecurityPolicy\isNonceRequired
static isNonceRequired(Config $config)
Should we set nonce attribute.
Definition ContentSecurityPolicy.php:476
ContentSecurityPolicy\prepareUrlForCSP
prepareUrlForCSP( $url)
Given a url, convert to form needed for CSP.
Definition ContentSecurityPolicy.php:301
ContentSecurityPolicy\makeCSPDirectives
makeCSPDirectives( $policyConfig, $mode)
Determine what CSP policies to set for this page.
Definition ContentSecurityPolicy.php:118
ContentSecurityPolicy\falsePositiveBrowser
static falsePositiveBrowser( $ua)
Does this browser give false positive reports?
Definition ContentSecurityPolicy.php:466
ContentSecurityPolicy\getHeaderName
getHeaderName( $reportOnly)
Get the name of the HTTP header to use.
Definition ContentSecurityPolicy.php:102
ContentSecurityPolicy\sendHeaders
static sendHeaders(IContextSource $context)
Send CSP headers based on wiki config.
Definition ContentSecurityPolicy.php:73
ContentSecurityPolicy\escapeUrlForCSP
escapeUrlForCSP( $url)
CSP spec says ',' and ';' are not allowed to appear in urls.
Definition ContentSecurityPolicy.php:448
ContentSecurityPolicy\$nonce
string $nonce
The nonce to use for inline scripts (from OutputPage)
Definition ContentSecurityPolicy.php:32
ContentSecurityPolicy\getReportUri
getReportUri( $mode)
Get the default report uri.
Definition ContentSecurityPolicy.php:268
ContentSecurityPolicy\getCORSSources
getCORSSources()
include domains that are allowed to send us CORS requests.
Definition ContentSecurityPolicy.php:425
ContentSecurityPolicy\getAdditionalSelfUrlsScript
getAdditionalSelfUrlsScript()
Get additional script sources.
Definition ContentSecurityPolicy.php:334
ContentSecurityPolicy\sendCSPHeader
sendCSPHeader( $csp, $reportOnly)
Send a single CSP header based on a given policy config.
Definition ContentSecurityPolicy.php:56
ContentSecurityPolicy\$mwConfig
Config $mwConfig
The site configuration object.
Definition ContentSecurityPolicy.php:34
RepoGroup\singleton
static singleton()
Get a RepoGroup instance.
Definition RepoGroup.php:59
WebResponse
Allow programs to request this object from WebRequest::response() and handle all outputting (or lack ...
Definition WebResponse.php:28
$result
namespace being checked & $result
Definition hooks.txt:2385
$context
do that in ParserLimitReportFormat instead use this to modify the parameters of the image all existing parser cache entries will be invalid To avoid you ll need to handle that somehow(e.g. with the RejectParserCacheValue hook) because MediaWiki won 't do it for you. & $defaults also a ContextSource after deleting those rows but within the same transaction you ll probably need to make sure the header is varied on and they can depend only on the ResourceLoaderContext $context
Definition hooks.txt:2885
wfMessage
either a unescaped string or a HtmlArmor object after in associative array form externallinks including delete and has completed for all link tables whether this was an auto creation use $formDescriptor instead default is conds Array Extra conditions for the No matching items in log is displayed if loglist is empty msgKey Array If you want a nice box with a set this to the key of the message First element is the message additional optional elements are parameters for the key that are processed with wfMessage() -> params() ->parseAsBlock() - offset Set to overwrite offset parameter in $wgRequest set to '' to unset offset - wrap String Wrap the message in html(usually something like "&lt;div ...>$1&lt;/div>"). - flags Integer display flags(NO_ACTION_LINK, NO_EXTRA_USER_LINKS) 'LogException':Called before an exception(or PHP error) is logged. This is meant for integration with external error aggregation services
$out
this hook is for auditing only or null if authentication failed before getting that far or null if we can t even determine that probably a stub it is not rendered in wiki pages or galleries in category pages allow injecting custom HTML after the section Any uses of the hook need to handle escaping see BaseTemplate::getToolbox and BaseTemplate::makeListItem for details on the format of individual items inside of this array or by returning and letting standard HTTP rendering take place modifiable or by returning false and taking over the output $out
Definition hooks.txt:894
Config
Interface for configuration instances.
Definition Config.php:28
Config\get
get( $name)
Get a configuration variable such as "Sitename" or "UploadMaintenance.".
IContextSource
Interface for objects which can provide a MediaWiki context on request.
Definition IContextSource.php:53
$source
$source
Definition mwdoc-filter.php:46
$urls
$urls
Definition opensearch_desc.php:75