MediaWiki REL1_37
|
Public Member Functions | |
__construct (WebResponse $response, Config $mwConfig, HookContainer $hookContainer) | |
addDefaultSrc ( $source) | |
If possible you should use a more specific source type then default. | |
addScriptSrc ( $source) | |
So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );. | |
addStyleSrc ( $source) | |
So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );. | |
getNonce () | |
Get the nonce if nonce is in use. | |
sendCSPHeader ( $csp, $reportOnly) | |
Send a single CSP header based on a given policy config. | |
sendHeaders () | |
Send CSP headers based on wiki config. | |
Static Public Member Functions | |
static | falsePositiveBrowser ( $ua) |
Does this browser give false positive reports? | |
static | isNonceRequired (Config $config) |
Should we set nonce attribute. | |
Public Attributes | |
const | FULL_MODE = 2 |
const | REPORT_ONLY_MODE = 1 |
Private Member Functions | |
escapeUrlForCSP ( $url) | |
CSP spec says ',' and ';' are not allowed to appear in urls. | |
getAdditionalSelfUrls () | |
Get additional host names for the wiki (e.g. | |
getAdditionalSelfUrlsScript () | |
getCORSSources () | |
include domains that are allowed to send us CORS requests. | |
getHeaderName ( $reportOnly) | |
getReportUri ( $mode) | |
Get the default report uri. | |
makeCSPDirectives ( $policyConfig, $mode) | |
Determine what CSP policies to set for this page. | |
prepareUrlForCSP ( $url) | |
Given a url, convert to form needed for CSP. | |
Static Private Member Functions | |
static | isNonceRequiredArray (array $configs) |
Does a specific config require a nonce. | |
Private Attributes | |
array | $extraDefaultSrc = [] |
array | $extraScriptSrc = [] |
array | $extraStyleSrc = [] |
HookRunner | $hookRunner |
Config | $mwConfig |
The site configuration object. | |
string | $nonce |
The nonce to use for inline scripts (from OutputPage) | |
WebResponse | $response |
Definition at line 32 of file ContentSecurityPolicy.php.
ContentSecurityPolicy::__construct | ( | WebResponse | $response, |
Config | $mwConfig, | ||
HookContainer | $hookContainer | ||
) |
WebResponse | $response | |
Config | $mwConfig | |
HookContainer | $hookContainer |
Definition at line 62 of file ContentSecurityPolicy.php.
ContentSecurityPolicy::addDefaultSrc | ( | $source | ) |
If possible you should use a more specific source type then default.
So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addDefaultSrc( '*.example.com' );
string | $source | Source to add. e.g. blob:, *.example.com, https://example.com, example.com/foo |
Definition at line 566 of file ContentSecurityPolicy.php.
References $source, and prepareUrlForCSP().
ContentSecurityPolicy::addScriptSrc | ( | $source | ) |
So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );.
string | $source | Source to add. e.g. blob:, *.example.com, https://example.com, example.com/foo |
Definition at line 591 of file ContentSecurityPolicy.php.
References $source, and prepareUrlForCSP().
ContentSecurityPolicy::addStyleSrc | ( | $source | ) |
So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );.
string | $source | Source to add. e.g. blob:, *.example.com, https://example.com, example.com/foo |
Definition at line 578 of file ContentSecurityPolicy.php.
References $source, and prepareUrlForCSP().
|
private |
CSP spec says ',' and ';' are not allowed to appear in urls.
string | $url | URL (or possibly just part of one) |
Definition at line 480 of file ContentSecurityPolicy.php.
Referenced by getReportUri(), makeCSPDirectives(), and prepareUrlForCSP().
|
static |
Does this browser give false positive reports?
Some versions of firefox (40-42) incorrectly report a csp violation for nonce sources, despite allowing them.
string | $ua | User-agent header |
Definition at line 498 of file ContentSecurityPolicy.php.
Referenced by ApiCSPReport\getFlags().
|
private |
Get additional host names for the wiki (e.g.
if static content loaded elsewhere)
Definition at line 396 of file ContentSecurityPolicy.php.
References $path, and prepareUrlForCSP().
Referenced by makeCSPDirectives().
|
private |
Definition at line 365 of file ContentSecurityPolicy.php.
References $path, and prepareUrlForCSP().
Referenced by makeCSPDirectives().
|
private |
include domains that are allowed to send us CORS requests.
Technically, $wgCrossSiteAJAXdomains lists things that are allowed to talk to us not things that we are allowed to talk to - but if something is allowed to talk to us, then there is a good chance that we should probably be allowed to talk to it.
This is configurable with the 'includeCORS' key in the CSP config, and enabled by default.
Definition at line 457 of file ContentSecurityPolicy.php.
References $source, and prepareUrlForCSP().
Referenced by makeCSPDirectives().
|
private |
int | $reportOnly | Either self::REPORT_ONLY_MODE or self::FULL_MODE |
UnexpectedValueException |
Definition at line 118 of file ContentSecurityPolicy.php.
Referenced by sendCSPHeader().
ContentSecurityPolicy::getNonce | ( | ) |
Get the nonce if nonce is in use.
Definition at line 544 of file ContentSecurityPolicy.php.
References $nonce.
Referenced by makeCSPDirectives().
|
private |
Get the default report uri.
int | $mode | self::*_MODE constant. |
UnexpectedValueException | if given invalid mode. |
Definition at line 304 of file ContentSecurityPolicy.php.
References escapeUrlForCSP(), wfAppendQuery(), and wfScript().
Referenced by makeCSPDirectives().
|
static |
Should we set nonce attribute.
Config | $config |
Definition at line 508 of file ContentSecurityPolicy.php.
References Config\get(), and isNonceRequiredArray().
Referenced by Html\inlineScript(), and Html\linkedScript().
|
staticprivate |
Does a specific config require a nonce.
array | $configs | An array of CSP config arrays |
Definition at line 522 of file ContentSecurityPolicy.php.
Referenced by isNonceRequired().
|
private |
Determine what CSP policies to set for this page.
array | bool | $policyConfig | Policy configuration (Either $wgCSPHeader or $wgCSPReportOnlyHeader) |
int | $mode | self::REPORT_ONLY_MODE, self::FULL_MODE |
Definition at line 137 of file ContentSecurityPolicy.php.
References $mwConfig, escapeUrlForCSP(), Config\get(), getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), getCORSSources(), getNonce(), getReportUri(), and wfMessage().
Referenced by sendCSPHeader().
|
private |
Given a url, convert to form needed for CSP.
Currently this does either scheme + host, or if protocol relative, just the host. Future versions could potentially preserve some of the path, if its determined that that would be a good idea.
string | $url |
Definition at line 334 of file ContentSecurityPolicy.php.
References escapeUrlForCSP(), and wfParseUrl().
Referenced by addDefaultSrc(), addScriptSrc(), addStyleSrc(), getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), and getCORSSources().
ContentSecurityPolicy::sendCSPHeader | ( | $csp, | |
$reportOnly | |||
) |
Send a single CSP header based on a given policy config.
array | $csp | ContentSecurityPolicy configuration |
int | $reportOnly | self::*_MODE constant |
Definition at line 78 of file ContentSecurityPolicy.php.
References getHeaderName(), and makeCSPDirectives().
Referenced by sendHeaders().
ContentSecurityPolicy::sendHeaders | ( | ) |
Send CSP headers based on wiki config.
Main method that callers (OutputPage) are expected to use. As a general rule, you would never call this in an extension unless you have disabled OutputPage and are fully controlling the output.
Definition at line 97 of file ContentSecurityPolicy.php.
References sendCSPHeader().
|
private |
Definition at line 44 of file ContentSecurityPolicy.php.
|
private |
Definition at line 46 of file ContentSecurityPolicy.php.
|
private |
Definition at line 48 of file ContentSecurityPolicy.php.
|
private |
Definition at line 51 of file ContentSecurityPolicy.php.
|
private |
The site configuration object.
Definition at line 39 of file ContentSecurityPolicy.php.
Referenced by __construct(), and makeCSPDirectives().
|
private |
The nonce to use for inline scripts (from OutputPage)
Definition at line 37 of file ContentSecurityPolicy.php.
Referenced by getNonce().
|
private |
Definition at line 41 of file ContentSecurityPolicy.php.
Referenced by __construct().
const ContentSecurityPolicy::FULL_MODE = 2 |
Definition at line 34 of file ContentSecurityPolicy.php.
const ContentSecurityPolicy::REPORT_ONLY_MODE = 1 |
Definition at line 33 of file ContentSecurityPolicy.php.