Public Member Functions | |
| __construct (WebResponse $response, Config $mwConfig, HookContainer $hookContainer) | |
| addDefaultSrc ( $source) | |
| Add an additional default src. | |
| addScriptSrc ( $source) | |
| Add an additional script src. | |
| addStyleSrc ( $source) | |
| Add an additional CSS src. | |
| getNonce () | |
| Get the nonce if nonce is in use. | |
| sendCSPHeader ( $csp, $reportOnly) | |
| Send a single CSP header based on a given policy config. | |
| sendHeaders () | |
| Send CSP headers based on wiki config. | |
Static Public Member Functions | |
| static | falsePositiveBrowser ( $ua) |
| Does this browser give false positive reports? | |
| static | isNonceRequired (Config $config) |
| Should we set nonce attribute. | |
Public Attributes | |
| const | FULL_MODE = 2 |
| const | REPORT_ONLY_MODE = 1 |
Private Member Functions | |
| escapeUrlForCSP ( $url) | |
| CSP spec says ',' and ';' are not allowed to appear in urls. | |
| getAdditionalSelfUrls () | |
| Get additional host names for the wiki (e.g. | |
| getAdditionalSelfUrlsScript () | |
| Get additional script sources. | |
| getCORSSources () | |
| include domains that are allowed to send us CORS requests. | |
| getHeaderName ( $reportOnly) | |
| Get the name of the HTTP header to use. | |
| getReportUri ( $mode) | |
| Get the default report uri. | |
| makeCSPDirectives ( $policyConfig, $mode) | |
| Determine what CSP policies to set for this page. | |
| prepareUrlForCSP ( $url) | |
| Given a url, convert to form needed for CSP. | |
Static Private Member Functions | |
| static | isNonceRequiredArray (array $configs) |
| Does a specific config require a nonce. | |
Private Attributes | |
| array | $extraDefaultSrc = [] |
| array | $extraScriptSrc = [] |
| array | $extraStyleSrc = [] |
| HookRunner | $hookRunner |
| Config | $mwConfig |
| The site configuration object. | |
| string | $nonce |
| The nonce to use for inline scripts (from OutputPage) | |
| WebResponse | $response |
Detailed Description
Definition at line 32 of file ContentSecurityPolicy.php.
Constructor & Destructor Documentation
◆ __construct()
| ContentSecurityPolicy::__construct | ( | WebResponse | $response, |
| Config | $mwConfig, | ||
| HookContainer | $hookContainer | ||
| ) |
- Note
- As a general rule, you would not construct this class directly but use the instance from OutputPage::getCSP()
Definition at line 62 of file ContentSecurityPolicy.php.
Member Function Documentation
◆ addDefaultSrc()
| ContentSecurityPolicy::addDefaultSrc | ( | $source | ) |
Add an additional default src.
If possible you should use a more specific source type then default.
So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addDefaultSrc( '*.example.com' );
- Since
- 1.35
- Parameters
-
string $source Source to add. e.g. blob:, *.example.com, https://example.com, example.com/foo
Definition at line 572 of file ContentSecurityPolicy.php.
References $source, and prepareUrlForCSP().
◆ addScriptSrc()
| ContentSecurityPolicy::addScriptSrc | ( | $source | ) |
Add an additional script src.
So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );
- Since
- 1.35
- Warning
- Be careful including external scripts, as they can take over accounts.
- Parameters
-
string $source Source to add. e.g. blob:, *.example.com, https://example.com, example.com/foo
Definition at line 601 of file ContentSecurityPolicy.php.
References $source, and prepareUrlForCSP().
◆ addStyleSrc()
| ContentSecurityPolicy::addStyleSrc | ( | $source | ) |
Add an additional CSS src.
So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );
- Since
- 1.35
- Parameters
-
string $source Source to add. e.g. blob:, *.example.com, https://example.com, example.com/foo
Definition at line 586 of file ContentSecurityPolicy.php.
References $source, and prepareUrlForCSP().
◆ escapeUrlForCSP()
|
private |
CSP spec says ',' and ';' are not allowed to appear in urls.
- Note
- This assumes that normal escaping has been applied to the url
- Parameters
-
string $url URL (or possibly just part of one)
- Returns
- string
Definition at line 484 of file ContentSecurityPolicy.php.
Referenced by getReportUri(), makeCSPDirectives(), and prepareUrlForCSP().
◆ falsePositiveBrowser()
|
static |
Does this browser give false positive reports?
Some versions of firefox (40-42) incorrectly report a csp violation for nonce sources, despite allowing them.
- Parameters
-
string $ua User-agent header
- Returns
- bool
Definition at line 502 of file ContentSecurityPolicy.php.
Referenced by ApiCSPReport\getFlags().
◆ getAdditionalSelfUrls()
|
private |
Get additional host names for the wiki (e.g.
if static content loaded elsewhere)
- Note
- These are general load sources, not script sources
- Returns
- array Array of other urls for wiki (for use in default-src)
Definition at line 400 of file ContentSecurityPolicy.php.
References $path, and prepareUrlForCSP().
Referenced by makeCSPDirectives().
◆ getAdditionalSelfUrlsScript()
|
private |
Get additional script sources.
- Returns
- array Additional sources for loading scripts from
Definition at line 369 of file ContentSecurityPolicy.php.
References $path, and prepareUrlForCSP().
Referenced by makeCSPDirectives().
◆ getCORSSources()
|
private |
include domains that are allowed to send us CORS requests.
Technically, $wgCrossSiteAJAXdomains lists things that are allowed to talk to us not things that we are allowed to talk to - but if something is allowed to talk to us, then there is a good chance that we should probably be allowed to talk to it.
This is configurable with the 'includeCORS' key in the CSP config, and enabled by default.
- Note
- CORS domains with single character ('?') wildcards, are not included.
- Returns
- array Additional hosts
Definition at line 461 of file ContentSecurityPolicy.php.
References $source, and prepareUrlForCSP().
Referenced by makeCSPDirectives().
◆ getHeaderName()
|
private |
Get the name of the HTTP header to use.
- Parameters
-
int $reportOnly Either self::REPORT_ONLY_MODE or self::FULL_MODE
- Returns
- string Name of http header
- Exceptions
-
UnexpectedValueException
Definition at line 120 of file ContentSecurityPolicy.php.
Referenced by sendCSPHeader().
◆ getNonce()
| ContentSecurityPolicy::getNonce | ( | ) |
Get the nonce if nonce is in use.
- Since
- 1.35
- Returns
- bool|string A random (base64) string or false if not used.
Definition at line 548 of file ContentSecurityPolicy.php.
References $nonce.
Referenced by makeCSPDirectives().
◆ getReportUri()
|
private |
Get the default report uri.
- Parameters
-
int $mode self::*_MODE constant.
- Returns
- string The URI to send reports to.
- Exceptions
-
UnexpectedValueException if given invalid mode.
Definition at line 306 of file ContentSecurityPolicy.php.
References escapeUrlForCSP(), wfAppendQuery(), and wfScript().
Referenced by makeCSPDirectives().
◆ isNonceRequired()
|
static |
Should we set nonce attribute.
- Parameters
-
Config $config Configuration object
- Returns
- bool
Definition at line 512 of file ContentSecurityPolicy.php.
References Config\get(), and isNonceRequiredArray().
Referenced by Html\inlineScript(), and Html\linkedScript().
◆ isNonceRequiredArray()
|
staticprivate |
Does a specific config require a nonce.
- Parameters
-
array $configs An array of CSP config arrays
- Returns
- bool
Definition at line 526 of file ContentSecurityPolicy.php.
Referenced by isNonceRequired().
◆ makeCSPDirectives()
|
private |
Determine what CSP policies to set for this page.
- Parameters
-
array | bool $policyConfig Policy configuration (Either $wgCSPHeader or $wgCSPReportOnlyHeader) int $mode self::REPORT_ONLY_MODE, self::FULL_MODE
- Returns
- string Policy directives, or empty string for no policy.
Definition at line 139 of file ContentSecurityPolicy.php.
References $mwConfig, escapeUrlForCSP(), Config\get(), getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), getCORSSources(), getNonce(), getReportUri(), and wfMessage().
Referenced by sendCSPHeader().
◆ prepareUrlForCSP()
|
private |
Given a url, convert to form needed for CSP.
Currently this does either scheme + host, or if protocol relative, just the host. Future versions could potentially preserve some of the path, if its determined that that would be a good idea.
- Note
- This does the extra escaping for CSP, but assumes the url has already had normal url escaping applied.
- This discards urls same as server name, as 'self' directive takes care of that.
- Parameters
-
string $url
- Returns
- string|bool Converted url or false on failure
Definition at line 336 of file ContentSecurityPolicy.php.
References escapeUrlForCSP(), and wfParseUrl().
Referenced by addDefaultSrc(), addScriptSrc(), addStyleSrc(), getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), and getCORSSources().
◆ sendCSPHeader()
| ContentSecurityPolicy::sendCSPHeader | ( | $csp, | |
| $reportOnly | |||
| ) |
Send a single CSP header based on a given policy config.
- Note
- Most callers will probably want ContentSecurityPolicy::sendHeaders() instead.
Definition at line 78 of file ContentSecurityPolicy.php.
References getHeaderName(), and makeCSPDirectives().
Referenced by sendHeaders().
◆ sendHeaders()
| ContentSecurityPolicy::sendHeaders | ( | ) |
Send CSP headers based on wiki config.
Main method that callers (OutputPage) are expected to use. As a general rule, you would never call this in an extension unless you have disabled OutputPage and are fully controlling the output.
- Since
- 1.35
Definition at line 97 of file ContentSecurityPolicy.php.
References sendCSPHeader().
Member Data Documentation
◆ $extraDefaultSrc
|
private |
Definition at line 44 of file ContentSecurityPolicy.php.
◆ $extraScriptSrc
|
private |
Definition at line 46 of file ContentSecurityPolicy.php.
◆ $extraStyleSrc
|
private |
Definition at line 48 of file ContentSecurityPolicy.php.
◆ $hookRunner
|
private |
Definition at line 51 of file ContentSecurityPolicy.php.
◆ $mwConfig
|
private |
The site configuration object.
Definition at line 39 of file ContentSecurityPolicy.php.
Referenced by __construct(), and makeCSPDirectives().
◆ $nonce
|
private |
The nonce to use for inline scripts (from OutputPage)
Definition at line 37 of file ContentSecurityPolicy.php.
Referenced by getNonce().
◆ $response
|
private |
Definition at line 41 of file ContentSecurityPolicy.php.
Referenced by __construct().
◆ FULL_MODE
| const ContentSecurityPolicy::FULL_MODE = 2 |
Definition at line 34 of file ContentSecurityPolicy.php.
◆ REPORT_ONLY_MODE
| const ContentSecurityPolicy::REPORT_ONLY_MODE = 1 |
Definition at line 33 of file ContentSecurityPolicy.php.
The documentation for this class was generated from the following file:
- includes/ContentSecurityPolicy.php
