MediaWiki REL1_33
ContentSecurityPolicy Class Reference
Collaboration diagram for ContentSecurityPolicy:

Public Member Functions

 __construct ( $nonce, WebResponse $response, Config $mwConfig)
 
 sendCSPHeader ( $csp, $reportOnly)
 Send a single CSP header based on a given policy config.
 

Static Public Member Functions

static falsePositiveBrowser ( $ua)
 Does this browser give false positive reports?
 
static isNonceRequired (Config $config)
 Should we set nonce attribute.
 
static sendHeaders (IContextSource $context)
 Send CSP headers based on wiki config.
 

Public Attributes

const FULL_MODE = 2
 
const REPORT_ONLY_MODE = 1
 

Private Member Functions

 escapeUrlForCSP ( $url)
 CSP spec says ',' and ';' are not allowed to appear in urls.
 
 getAdditionalSelfUrls ()
 Get additional host names for the wiki (e.g.
 
 getAdditionalSelfUrlsScript ()
 Get additional script sources.
 
 getCORSSources ()
 include domains that are allowed to send us CORS requests.
 
 getHeaderName ( $reportOnly)
 Get the name of the HTTP header to use.
 
 getReportUri ( $mode)
 Get the default report uri.
 
 makeCSPDirectives ( $policyConfig, $mode)
 Determine what CSP policies to set for this page.
 
 prepareUrlForCSP ( $url)
 Given a url, convert to form needed for CSP.
 

Private Attributes

Config $mwConfig
 The site configuration object.
 
string $nonce
 The nonce to use for inline scripts (from OutputPage)
 
WebResponse $response
 

Detailed Description

Definition at line 27 of file ContentSecurityPolicy.php.

Constructor & Destructor Documentation

◆ __construct()

ContentSecurityPolicy::__construct ( $nonce,
WebResponse $response,
Config $mwConfig )
Parameters
string$nonce
WebResponse$response
Config$mwConfig

Definition at line 43 of file ContentSecurityPolicy.php.

References $mwConfig, $nonce, and $response.

Member Function Documentation

◆ escapeUrlForCSP()

ContentSecurityPolicy::escapeUrlForCSP ( $url)
private

CSP spec says ',' and ';' are not allowed to appear in urls.

Note
This assumes that normal escaping has been applied to the url
Parameters
string$urlURL (or possibly just part of one)
Returns
string

Definition at line 452 of file ContentSecurityPolicy.php.

References and().

Referenced by getReportUri(), makeCSPDirectives(), and prepareUrlForCSP().

◆ falsePositiveBrowser()

static ContentSecurityPolicy::falsePositiveBrowser ( $ua)
static

Does this browser give false positive reports?

Some versions of firefox (40-42) incorrectly report a csp violation for nonce sources, despite allowing them.

See also
https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
Parameters
string$uaUser-agent header
Returns
bool

Definition at line 470 of file ContentSecurityPolicy.php.

References and().

Referenced by ApiCSPReport\getFlags(), and ContentSecurityPolicyTest\testFalsePositiveBrowser().

◆ getAdditionalSelfUrls()

ContentSecurityPolicy::getAdditionalSelfUrls ( )
private

Get additional host names for the wiki (e.g.

if static content loaded elsewhere)

Note
These are general load sources, not script sources
Returns
array Array of other urls for wiki (for use in default-src)

Definition at line 369 of file ContentSecurityPolicy.php.

References $urls, $value, and(), prepareUrlForCSP(), and RepoGroup\singleton().

Referenced by makeCSPDirectives().

◆ getAdditionalSelfUrlsScript()

ContentSecurityPolicy::getAdditionalSelfUrlsScript ( )
private

Get additional script sources.

Returns
array Additional sources for loading scripts from

Definition at line 338 of file ContentSecurityPolicy.php.

References $value, and(), and prepareUrlForCSP().

Referenced by makeCSPDirectives().

◆ getCORSSources()

ContentSecurityPolicy::getCORSSources ( )
private

include domains that are allowed to send us CORS requests.

Technically, $wgCrossSiteAJAXdomains lists things that are allowed to talk to us not things that we are allowed to talk to - but if something is allowed to talk to us, then there is a good chance that we should probably be allowed to talk to it.

This is configurable with the 'includeCORS' key in the CSP config, and enabled by default.

Note
CORS domains with single character ('?') wildcards, are not included.
Returns
array Additional hosts

Definition at line 429 of file ContentSecurityPolicy.php.

References $source, and(), and prepareUrlForCSP().

Referenced by makeCSPDirectives().

◆ getHeaderName()

ContentSecurityPolicy::getHeaderName ( $reportOnly)
private

Get the name of the HTTP header to use.

Parameters
int$reportOnlyEither self::REPORT_ONLY_MODE or self::FULL_MODE
Returns
string Name of http header
Exceptions
UnexpectedValueException

Definition at line 103 of file ContentSecurityPolicy.php.

Referenced by sendCSPHeader().

◆ getReportUri()

ContentSecurityPolicy::getReportUri ( $mode)
private

Get the default report uri.

Parameters
int$modeself::*_MODE constant.
Returns
string The URI to send reports to.
Exceptions
UnexpectedValueExceptionif given invalid mode.

Definition at line 272 of file ContentSecurityPolicy.php.

References and(), escapeUrlForCSP(), wfAppendQuery(), and wfScript().

Referenced by makeCSPDirectives().

◆ isNonceRequired()

static ContentSecurityPolicy::isNonceRequired ( Config $config)
static

Should we set nonce attribute.

Parameters
Config$configConfiguration object
Returns
bool

Definition at line 480 of file ContentSecurityPolicy.php.

References and(), and Config\get().

Referenced by OutputPage\getCSPNonce(), Html\inlineScript(), Html\linkedScript(), and ContentSecurityPolicyTest\testCSPIsEnabled().

◆ makeCSPDirectives()

ContentSecurityPolicy::makeCSPDirectives ( $policyConfig,
$mode )
private

Determine what CSP policies to set for this page.

Parameters
array | bool$policyConfigPolicy configuration (Either $wgCSPHeader or $wgCSPReportOnlyHeader)
int$modeself::REPORT_ONLY_MODE, self::FULL_MODE
Returns
string Policy directives, or empty string for no policy.

Definition at line 122 of file ContentSecurityPolicy.php.

References $mwConfig, and(), escapeUrlForCSP(), Config\get(), getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), getCORSSources(), getReportUri(), and wfMessage().

Referenced by sendCSPHeader().

◆ prepareUrlForCSP()

ContentSecurityPolicy::prepareUrlForCSP ( $url)
private

Given a url, convert to form needed for CSP.

Currently this does either scheme + host, or if protocol relative, just the host. Future versions could potentially preserve some of the path, if its determined that that would be a good idea.

Note
This does the extra escaping for CSP, but assumes the url has already had normal url escaping applied.
This discards urls same as server name, as 'self' directive takes care of that.
Parameters
string$url
Returns
string|bool Converted url or false on failure

Definition at line 305 of file ContentSecurityPolicy.php.

References $result, and(), escapeUrlForCSP(), and wfParseUrl().

Referenced by getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), and getCORSSources().

◆ sendCSPHeader()

ContentSecurityPolicy::sendCSPHeader ( $csp,
$reportOnly )

Send a single CSP header based on a given policy config.

Note
Most callers will probably want ContentSecurityPolicy::sendHeaders() instead.
Parameters
array$cspContentSecurityPolicy configuration
int$reportOnlyself::*_MODE constant

Definition at line 56 of file ContentSecurityPolicy.php.

References getHeaderName(), and makeCSPDirectives().

◆ sendHeaders()

static ContentSecurityPolicy::sendHeaders ( IContextSource $context)
static

Send CSP headers based on wiki config.

Main method that callers are expected to use

Parameters
IContextSource$contextA context object, the associated OutputPage object must be the one that the page in question was generated with.

Definition at line 73 of file ContentSecurityPolicy.php.

References $context, and $out.

Referenced by OutputPage\output().

Member Data Documentation

◆ $mwConfig

Config ContentSecurityPolicy::$mwConfig
private

The site configuration object.

Definition at line 34 of file ContentSecurityPolicy.php.

Referenced by __construct(), and makeCSPDirectives().

◆ $nonce

string ContentSecurityPolicy::$nonce
private

The nonce to use for inline scripts (from OutputPage)

Definition at line 32 of file ContentSecurityPolicy.php.

Referenced by __construct().

◆ $response

WebResponse ContentSecurityPolicy::$response
private

Definition at line 36 of file ContentSecurityPolicy.php.

Referenced by __construct().

◆ FULL_MODE

◆ REPORT_ONLY_MODE


The documentation for this class was generated from the following file: