REL1_34/php/ContentSecurityPolicy_8php_source.html

<?php


class ContentSecurityPolicy {

    const REPORT_ONLY_MODE = 1;

    const FULL_MODE = 2;


    private $nonce;

    private $mwConfig;

    private $response;


    public function __construct( $nonce, WebResponse $response, Config $mwConfig ) {

        $this->nonce = $nonce;

        $this->response = $response;

        $this->mwConfig = $mwConfig;

    }


    public function sendCSPHeader( $csp, $reportOnly ) {

        $policy = $this->makeCSPDirectives( $csp, $reportOnly );

        $headerName = $this->getHeaderName( $reportOnly );

        if ( $policy ) {

            $this->response->header(

                "$headerName: $policy"

            );

        }

    }


    public static function sendHeaders( IContextSource $context ) {

        $out = $context->getOutput();

        $csp = new ContentSecurityPolicy(

            $out->getCSPNonce(),

            $context->getRequest()->response(),

            $context->getConfig()

        );


        $cspConfig = $context->getConfig()->get( 'CSPHeader' );

        $cspConfigReportOnly = $context->getConfig()->get( 'CSPReportOnlyHeader' );


        $csp->sendCSPHeader( $cspConfig, self::FULL_MODE );

        $csp->sendCSPHeader( $cspConfigReportOnly, self::REPORT_ONLY_MODE );


        // This used to insert a <meta> tag here, per advice at

        // https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/

        // The goal was to prevent nonce from working after the page hit onready,

        // This would help in old browsers that didn't support nonces, and

        // also assist for varnish-cached pages which repeat nonces.

        // However, this is incompatible with how resource loader storage works

        // via mw.domEval() so it was removed.

    }


    private function getHeaderName( $reportOnly ) {

        if ( $reportOnly === self::REPORT_ONLY_MODE ) {

            return 'Content-Security-Policy-Report-Only';

        }


        if ( $reportOnly === self::FULL_MODE ) {

            return 'Content-Security-Policy';

        }

        throw new UnexpectedValueException( $reportOnly );

    }


    private function makeCSPDirectives( $policyConfig, $mode ) {

        if ( $policyConfig === false ) {

            // CSP is disabled

            return '';

        }

        if ( $policyConfig === true ) {

            $policyConfig = [];

        }


        $mwConfig = $this->mwConfig;


        $additionalSelfUrls = $this->getAdditionalSelfUrls();

        $additionalSelfUrlsScript = $this->getAdditionalSelfUrlsScript();


        // If no default-src is sent at all, it

        // seems browsers (or at least some), interpret

        // that as allow anything, but the spec seems

        // to imply that data: and blob: should be

        // blocked.

        $defaultSrc = [ '*', 'data:', 'blob:' ];


        $cssSrc = false;

        $imgSrc = false;

        $scriptSrc = [ "'unsafe-eval'", "'self'" ];

        if ( !isset( $policyConfig['useNonces'] ) || $policyConfig['useNonces'] ) {

            $scriptSrc[] = "'nonce-" . $this->nonce . "'";

        }


        $scriptSrc = array_merge( $scriptSrc, $additionalSelfUrlsScript );

        if ( isset( $policyConfig['script-src'] )

            && is_array( $policyConfig['script-src'] )

        ) {

            foreach ( $policyConfig['script-src'] as $src ) {

                $scriptSrc[] = $this->escapeUrlForCSP( $src );

            }

        }

        // Note: default on if unspecified.

        if ( !isset( $policyConfig['unsafeFallback'] )

            || $policyConfig['unsafeFallback']

        ) {

            // unsafe-inline should be ignored on browsers

            // that support 'nonce-foo' sources.

            // Some older versions of firefox don't follow this

            // rule, but new browsers do. (Should be for at least

            // firefox 40+).

            $scriptSrc[] = "'unsafe-inline'";

        }

        // If default source option set to true or

        // an array of urls, set a restrictive default-src.

        // If set to false, we send a lenient default-src,

        // see the code above where $defaultSrc is set initially.

        if ( isset( $policyConfig['default-src'] )

            && $policyConfig['default-src'] !== false

        ) {

            $defaultSrc = array_merge(

                [ "'self'", 'data:', 'blob:' ],

                $additionalSelfUrls

            );

            if ( is_array( $policyConfig['default-src'] ) ) {

                foreach ( $policyConfig['default-src'] as $src ) {

                    $defaultSrc[] = $this->escapeUrlForCSP( $src );

                }

            }

        }


        if ( !isset( $policyConfig['includeCORS'] ) || $policyConfig['includeCORS'] ) {

            $CORSUrls = $this->getCORSSources();

            if ( !in_array( '*', $defaultSrc ) ) {

                $defaultSrc = array_merge( $defaultSrc, $CORSUrls );

            }

            // Unlikely to have * in scriptSrc, but doesn't

            // hurt to check.

            if ( !in_array( '*', $scriptSrc ) ) {

                $scriptSrc = array_merge( $scriptSrc, $CORSUrls );

            }

        }


        Hooks::run( 'ContentSecurityPolicyDefaultSource', [ &$defaultSrc, $policyConfig, $mode ] );

        Hooks::run( 'ContentSecurityPolicyScriptSource', [ &$scriptSrc, $policyConfig, $mode ] );


        // Check if array just in case the hook made it false

        if ( is_array( $defaultSrc ) ) {

            $cssSrc = array_merge( $defaultSrc, [ "'unsafe-inline'" ] );

        }


        if ( isset( $policyConfig['report-uri'] ) && $policyConfig['report-uri'] !== true ) {

            if ( $policyConfig['report-uri'] === false ) {

                $reportUri = false;

            } else {

                $reportUri = $this->escapeUrlForCSP( $policyConfig['report-uri'] );

            }

        } else {

            $reportUri = $this->getReportUri( $mode );

        }


        // Only send an img-src, if we're sending a restricitve default.

        if ( !is_array( $defaultSrc )

            || !in_array( '*', $defaultSrc )

            || !in_array( 'data:', $defaultSrc )

            || !in_array( 'blob:', $defaultSrc )

        ) {

            // A future todo might be to make the whitelist options only

            // add all the whitelisted sites to the header, instead of

            // allowing all (Assuming there is a small number of sites).

            // For now, the external image feature disables the limits

            // CSP puts on external images.

            if ( $mwConfig->get( 'AllowExternalImages' )

                || $mwConfig->get( 'AllowExternalImagesFrom' )

                || $mwConfig->get( 'AllowImageTag' )

            ) {

                $imgSrc = [ '*', 'data:', 'blob:' ];

            } elseif ( $mwConfig->get( 'EnableImageWhitelist' ) ) {

                $whitelist = wfMessage( 'external_image_whitelist' )

                    ->inContentLanguage()

                    ->plain();

                if ( preg_match( '/^\s*[^\s#]/m', $whitelist ) ) {

                    $imgSrc = [ '*', 'data:', 'blob:' ];

                }

            }

        }


        $directives = [];

        if ( $scriptSrc ) {

            $directives[] = 'script-src ' . implode( ' ', $scriptSrc );

        }

        if ( $defaultSrc ) {

            $directives[] = 'default-src ' . implode( ' ', $defaultSrc );

        }

        if ( $cssSrc ) {

            $directives[] = 'style-src ' . implode( ' ', $cssSrc );

        }

        if ( $imgSrc ) {

            $directives[] = 'img-src ' . implode( ' ', $imgSrc );

        }

        if ( $reportUri ) {

            $directives[] = 'report-uri ' . $reportUri;

        }


        Hooks::run( 'ContentSecurityPolicyDirectives', [ &$directives, $policyConfig, $mode ] );


        return implode( '; ', $directives );

    }


    private function getReportUri( $mode ) {

        $apiArguments = [

            'action' => 'cspreport',

            'format' => 'json'

        ];

        if ( $mode === self::REPORT_ONLY_MODE ) {

            $apiArguments['reportonly'] = '1';

        }

        $reportUri = wfAppendQuery( wfScript( 'api' ), $apiArguments );


        // Per spec, ';' and ',' must be hex-escaped in report uri

        // Also add an & at the end of url to work around bug in hhvm

        // with handling of POST parameters when always_decode_post_data

        // is set to true. See https://github.com/facebook/hhvm/issues/6676

        $reportUri = $this->escapeUrlForCSP( $reportUri ) . '&';

        return $reportUri;

    }


    private function prepareUrlForCSP( $url ) {

        $result = false;

        if ( preg_match( '/^[a-z][a-z0-9+.-]*:$/i', $url ) ) {

            // A schema source (e.g. blob: or data:)

            return $url;

        }

        $bits = wfParseUrl( $url );

        if ( !$bits && strpos( $url, '/' ) === false ) {

            // probably something like example.com.

            // try again protocol-relative.

            $url = '//' . $url;

            $bits = wfParseUrl( $url );

        }

        if ( $bits && isset( $bits['host'] )

            && $bits['host'] !== $this->mwConfig->get( 'ServerName' )

        ) {

            $result = $bits['host'];

            if ( $bits['scheme'] !== '' ) {

                $result = $bits['scheme'] . $bits['delimiter'] . $result;

            }

            if ( isset( $bits['port'] ) ) {

                $result .= ':' . $bits['port'];

            }

            $result = $this->escapeUrlForCSP( $result );

        }

        return $result;

    }


    private function getAdditionalSelfUrlsScript() {

        $additionalUrls = [];

        // wgExtensionAssetsPath for ?debug=true mode

        $pathVars = [ 'LoadScript', 'ExtensionAssetsPath', 'ResourceBasePath' ];


        foreach ( $pathVars as $path ) {

            $url = $this->mwConfig->get( $path );

            $preparedUrl = $this->prepareUrlForCSP( $url );

            if ( $preparedUrl ) {

                $additionalUrls[] = $preparedUrl;

            }

        }

        $RLSources = $this->mwConfig->get( 'ResourceLoaderSources' );

        foreach ( $RLSources as $wiki => $sources ) {

            foreach ( $sources as $id => $value ) {

                $url = $this->prepareUrlForCSP( $value );

                if ( $url ) {

                    $additionalUrls[] = $url;

                }

            }

        }


        return array_unique( $additionalUrls );

    }


    private function getAdditionalSelfUrls() {

        // XXX on a foreign repo, the included description page can have anything on it,

        // including inline scripts. But nobody sane does that.


        // In principle, you can have even more complex configs... (e.g. The urlsByExt option)

        $pathUrls = [];

        $additionalSelfUrls = [];


        // Future todo: The zone urls should never go into

        // style-src. They should either be only in img-src, or if

        // img-src unspecified they should be in default-src. Similarly,

        // the DescriptionStylesheetUrl only needs to be in style-src

        // (or default-src if style-src unspecified).

        $callback = function ( $repo, &$urls ) {

            $urls[] = $repo->getZoneUrl( 'public' );

            $urls[] = $repo->getZoneUrl( 'transcoded' );

            $urls[] = $repo->getZoneUrl( 'thumb' );

            $urls[] = $repo->getDescriptionStylesheetUrl();

        };

        $localRepo = RepoGroup::singleton()->getRepo( 'local' );

        $callback( $localRepo, $pathUrls );

        RepoGroup::singleton()->forEachForeignRepo( $callback, [ &$pathUrls ] );


        // Globals that might point to a different domain

        $pathGlobals = [ 'LoadScript', 'ExtensionAssetsPath', 'StylePath', 'ResourceBasePath' ];

        foreach ( $pathGlobals as $path ) {

            $pathUrls[] = $this->mwConfig->get( $path );

        }

        foreach ( $pathUrls as $path ) {

            $preparedUrl = $this->prepareUrlForCSP( $path );

            if ( $preparedUrl !== false ) {

                $additionalSelfUrls[] = $preparedUrl;

            }

        }

        $RLSources = $this->mwConfig->get( 'ResourceLoaderSources' );


        foreach ( $RLSources as $wiki => $sources ) {

            foreach ( $sources as $id => $value ) {

                $url = $this->prepareUrlForCSP( $value );

                if ( $url ) {

                    $additionalSelfUrls[] = $url;

                }

            }

        }


        return array_unique( $additionalSelfUrls );

    }


    private function getCORSSources() {

        $additionalUrls = [];

        $CORSSources = $this->mwConfig->get( 'CrossSiteAJAXdomains' );

        foreach ( $CORSSources as $source ) {

            if ( strpos( $source, '?' ) !== false ) {

                // CSP doesn't support single char wildcard

                continue;

            }

            $url = $this->prepareUrlForCSP( $source );

            if ( $url ) {

                $additionalUrls[] = $url;

            }

        }

        return $additionalUrls;

    }


    private function escapeUrlForCSP( $url ) {

        return str_replace(

            [ ';', ',' ],

            [ '%3B', '%2C' ],

            $url

        );

    }


    public static function falsePositiveBrowser( $ua ) {

        return (bool)preg_match( '!Firefox/4[0-2]\.!', $ua );

    }


    public static function isNonceRequired( Config $config ) {

        $configs = [

            $config->get( 'CSPHeader' ),

            $config->get( 'CSPReportOnlyHeader' )

        ];

        foreach ( $configs as $headerConfig ) {

            if (

                $headerConfig === true ||

                ( is_array( $headerConfig ) &&

                !isset( $headerConfig['useNonces'] ) ) ||

                ( is_array( $headerConfig ) &&

                isset( $headerConfig['useNonces'] ) &&

                $headerConfig['useNonces'] )

            ) {

                return true;

            }

        }

        return false;

    }


}


wfParseUrl
wfParseUrl( $url)
parse_url() work-alike, but non-broken.
Definition GlobalFunctions.php:793

wfAppendQuery
wfAppendQuery( $url, $query)
Append a query string to an existing URL, which may or may not already have query string parameters a...
Definition GlobalFunctions.php:439

wfScript
wfScript( $script='index')
Get the path to a specified script file, respecting file extensions; this is a wrapper around $wgScri...
Definition GlobalFunctions.php:2622

wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition GlobalFunctions.php:1263

$path
$path
Definition NoLocalSettings.php:25

ContentSecurityPolicy
Definition ContentSecurityPolicy.php:27

ContentSecurityPolicy\getAdditionalSelfUrls
getAdditionalSelfUrls()
Get additional host names for the wiki (e.g.
Definition ContentSecurityPolicy.php:369

ContentSecurityPolicy\__construct
__construct( $nonce, WebResponse $response, Config $mwConfig)
Definition ContentSecurityPolicy.php:43

ContentSecurityPolicy\isNonceRequired
static isNonceRequired(Config $config)
Should we set nonce attribute.
Definition ContentSecurityPolicy.php:480

ContentSecurityPolicy\$response
WebResponse $response
Definition ContentSecurityPolicy.php:36

ContentSecurityPolicy\prepareUrlForCSP
prepareUrlForCSP( $url)
Given a url, convert to form needed for CSP.
Definition ContentSecurityPolicy.php:305

ContentSecurityPolicy\makeCSPDirectives
makeCSPDirectives( $policyConfig, $mode)
Determine what CSP policies to set for this page.
Definition ContentSecurityPolicy.php:122

ContentSecurityPolicy\REPORT_ONLY_MODE
const REPORT_ONLY_MODE
Definition ContentSecurityPolicy.php:28

ContentSecurityPolicy\FULL_MODE
const FULL_MODE
Definition ContentSecurityPolicy.php:29

ContentSecurityPolicy\falsePositiveBrowser
static falsePositiveBrowser( $ua)
Does this browser give false positive reports?
Definition ContentSecurityPolicy.php:470

ContentSecurityPolicy\getHeaderName
getHeaderName( $reportOnly)
Get the name of the HTTP header to use.
Definition ContentSecurityPolicy.php:103

ContentSecurityPolicy\sendHeaders
static sendHeaders(IContextSource $context)
Send CSP headers based on wiki config.
Definition ContentSecurityPolicy.php:73

ContentSecurityPolicy\escapeUrlForCSP
escapeUrlForCSP( $url)
CSP spec says ',' and ';' are not allowed to appear in urls.
Definition ContentSecurityPolicy.php:452

ContentSecurityPolicy\$nonce
string $nonce
The nonce to use for inline scripts (from OutputPage)
Definition ContentSecurityPolicy.php:32

ContentSecurityPolicy\getReportUri
getReportUri( $mode)
Get the default report uri.
Definition ContentSecurityPolicy.php:272

ContentSecurityPolicy\getCORSSources
getCORSSources()
include domains that are allowed to send us CORS requests.
Definition ContentSecurityPolicy.php:429

ContentSecurityPolicy\getAdditionalSelfUrlsScript
getAdditionalSelfUrlsScript()
Get additional script sources.
Definition ContentSecurityPolicy.php:338

ContentSecurityPolicy\sendCSPHeader
sendCSPHeader( $csp, $reportOnly)
Send a single CSP header based on a given policy config.
Definition ContentSecurityPolicy.php:56

ContentSecurityPolicy\$mwConfig
Config $mwConfig
The site configuration object.
Definition ContentSecurityPolicy.php:34

WebResponse
Allow programs to request this object from WebRequest::response() and handle all outputting (or lack ...
Definition WebResponse.php:30

Config
Interface for configuration instances.
Definition Config.php:28

Config\get
get( $name)
Get a configuration variable such as "Sitename" or "UploadMaintenance.".

IContextSource
Interface for objects which can provide a MediaWiki context on request.
Definition IContextSource.php:53

$context
$context
Definition load.php:45

$source
$source
Definition mwdoc-filter.php:34

$urls
$urls
Definition opensearch_desc.php:76