REL1_40/php/ContentSecurityPolicy_8php_source.html

<?php

namespace MediaWiki\Request;


use Config;

use LogicException;

use MediaWiki\HookContainer\HookContainer;

use MediaWiki\HookContainer\HookRunner;

use MediaWiki\MainConfigNames;

use MediaWiki\MediaWikiServices;

use UnexpectedValueException;


class ContentSecurityPolicy {

    public const REPORT_ONLY_MODE = 1;

    public const FULL_MODE = 2;


    private $nonce;

    private $mwConfig;

    private $response;


    private $extraDefaultSrc = [];

    private $extraScriptSrc = [];

    private $extraStyleSrc = [];


    private $hookRunner;


    public function __construct(

        WebResponse $response,

        Config $mwConfig,

        HookContainer $hookContainer

    ) {

        $this->response = $response;

        $this->mwConfig = $mwConfig;

        $this->hookRunner = new HookRunner( $hookContainer );

    }


    public function sendCSPHeader( $csp, $reportOnly ) {

        $policy = $this->makeCSPDirectives( $csp, $reportOnly );

        $headerName = $this->getHeaderName( $reportOnly );

        if ( $policy ) {

            $this->response->header(

                "$headerName: $policy"

            );

        }

    }


    public function sendHeaders() {

        $cspConfig = $this->mwConfig->get( MainConfigNames::CSPHeader );

        $cspConfigReportOnly = $this->mwConfig->get( MainConfigNames::CSPReportOnlyHeader );


        $this->sendCSPHeader( $cspConfig, self::FULL_MODE );

        $this->sendCSPHeader( $cspConfigReportOnly, self::REPORT_ONLY_MODE );


        // This used to insert a <meta> tag here, per advice at

        // https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/

        // The goal was to prevent nonce from working after the page hit onready,

        // This would help in old browsers that didn't support nonces, and

        // also assist for varnish-cached pages which repeat nonces.

        // However, this is incompatible with how resource loader storage works

        // via mw.domEval() so it was removed.

    }


    private function getHeaderName( $reportOnly ) {

        if ( $reportOnly === self::REPORT_ONLY_MODE ) {

            return 'Content-Security-Policy-Report-Only';

        }


        if ( $reportOnly === self::FULL_MODE ) {

            return 'Content-Security-Policy';

        }

        throw new UnexpectedValueException( "Mode '$reportOnly' not recognised" );

    }


    private function makeCSPDirectives( $policyConfig, $mode ) {

        if ( $policyConfig === false ) {

            // CSP is disabled

            return '';

        }

        if ( $policyConfig === true ) {

            $policyConfig = [];

        }


        $mwConfig = $this->mwConfig;


        if (

            !self::isNonceRequired( $mwConfig ) &&

            self::isNonceRequiredArray( [ $policyConfig ] )

        ) {

            // If the current policy requires a nonce, but the global state

            // does not, that's bad. Throw an exception. This should never happen.

            throw new LogicException( "Nonce requirement mismatch" );

        }


        $additionalSelfUrls = $this->getAdditionalSelfUrls();

        $additionalSelfUrlsScript = $this->getAdditionalSelfUrlsScript();


        // If no default-src is sent at all, it

        // seems browsers (or at least some), interpret

        // that as allow anything, but the spec seems

        // to imply that data: and blob: should be

        // blocked.

        $defaultSrc = [ '*', 'data:', 'blob:' ];


        $imgSrc = false;

        $scriptSrc = [ "'unsafe-eval'", "blob:", "'self'" ];

        if ( $policyConfig['useNonces'] ?? true ) {

            $scriptSrc[] = "'nonce-" . $this->getNonce() . "'";

        }


        $scriptSrc = array_merge( $scriptSrc, $additionalSelfUrlsScript );

        if ( isset( $policyConfig['script-src'] )

            && is_array( $policyConfig['script-src'] )

        ) {

            foreach ( $policyConfig['script-src'] as $src ) {

                $scriptSrc[] = $this->escapeUrlForCSP( $src );

            }

        }

        // Note: default on if unspecified.

        if ( $policyConfig['unsafeFallback'] ?? true ) {

            // unsafe-inline should be ignored on browsers

            // that support 'nonce-foo' sources.

            // Some older versions of firefox don't follow this

            // rule, but new browsers do. (Should be for at least

            // firefox 40+).

            $scriptSrc[] = "'unsafe-inline'";

        }

        // If default source option set to true or

        // an array of urls, set a restrictive default-src.

        // If set to false, we send a lenient default-src,

        // see the code above where $defaultSrc is set initially.

        if ( isset( $policyConfig['default-src'] )

            && $policyConfig['default-src'] !== false

        ) {

            $defaultSrc = array_merge(

                [ "'self'", 'data:', 'blob:' ],

                $additionalSelfUrls

            );

            if ( is_array( $policyConfig['default-src'] ) ) {

                foreach ( $policyConfig['default-src'] as $src ) {

                    $defaultSrc[] = $this->escapeUrlForCSP( $src );

                }

            }

        }


        if ( $policyConfig['includeCORS'] ?? true ) {

            $CORSUrls = $this->getCORSSources();

            if ( !in_array( '*', $defaultSrc ) ) {

                $defaultSrc = array_merge( $defaultSrc, $CORSUrls );

            }

            // Unlikely to have * in scriptSrc, but doesn't

            // hurt to check.

            if ( !in_array( '*', $scriptSrc ) ) {

                $scriptSrc = array_merge( $scriptSrc, $CORSUrls );

            }

        }


        $defaultSrc = array_merge( $defaultSrc, $this->extraDefaultSrc );

        $scriptSrc = array_merge( $scriptSrc, $this->extraScriptSrc );


        $cssSrc = array_merge( $defaultSrc, $this->extraStyleSrc, [ "'unsafe-inline'" ] );


        $this->hookRunner->onContentSecurityPolicyDefaultSource( $defaultSrc, $policyConfig, $mode );

        $this->hookRunner->onContentSecurityPolicyScriptSource( $scriptSrc, $policyConfig, $mode );


        if ( isset( $policyConfig['report-uri'] ) && $policyConfig['report-uri'] !== true ) {

            if ( $policyConfig['report-uri'] === false ) {

                $reportUri = false;

            } else {

                $reportUri = $this->escapeUrlForCSP( $policyConfig['report-uri'] );

            }

        } else {

            $reportUri = $this->getReportUri( $mode );

        }


        // Only send an img-src, if we're sending a restrictive default.

        if ( !is_array( $defaultSrc )

            || !in_array( '*', $defaultSrc )

            || !in_array( 'data:', $defaultSrc )

            || !in_array( 'blob:', $defaultSrc )

        ) {

            // A future todo might be to make the allow options only

            // add all the allowed sites to the header, instead of

            // allowing all (Assuming there is a small number of sites).

            // For now, the external image feature disables the limits

            // CSP puts on external images.

            if ( $mwConfig->get( MainConfigNames::AllowExternalImages )

                || $mwConfig->get( MainConfigNames::AllowExternalImagesFrom )

                || $mwConfig->get( MainConfigNames::AllowImageTag )

            ) {

                $imgSrc = [ '*', 'data:', 'blob:' ];

            } elseif ( $mwConfig->get( MainConfigNames::EnableImageWhitelist ) ) {

                $whitelist = wfMessage( 'external_image_whitelist' )

                    ->inContentLanguage()

                    ->plain();

                if ( preg_match( '/^\s*[^\s#]/m', $whitelist ) ) {

                    $imgSrc = [ '*', 'data:', 'blob:' ];

                }

            }

        }

        // Default value 'none'. true is none, false is nothing, string is single directive,

        // array is list.

        if ( !isset( $policyConfig['object-src'] ) || $policyConfig['object-src'] === true ) {

            $objectSrc = [ "'none'" ];

        } else {

            $objectSrc = (array)( $policyConfig['object-src'] ?: [] );

        }

        $objectSrc = array_map( [ $this, 'escapeUrlForCSP' ], $objectSrc );


        $directives = [];

        if ( $scriptSrc ) {

            $directives[] = 'script-src ' . implode( ' ', array_unique( $scriptSrc ) );

        }

        if ( $defaultSrc ) {

            $directives[] = 'default-src ' . implode( ' ', array_unique( $defaultSrc ) );

        }

        if ( $cssSrc ) {

            $directives[] = 'style-src ' . implode( ' ', array_unique( $cssSrc ) );

        }

        if ( $imgSrc ) {

            $directives[] = 'img-src ' . implode( ' ', array_unique( $imgSrc ) );

        }

        if ( $objectSrc ) {

            $directives[] = 'object-src ' . implode( ' ', $objectSrc );

        }

        if ( $reportUri ) {

            $directives[] = 'report-uri ' . $reportUri;

        }


        $this->hookRunner->onContentSecurityPolicyDirectives( $directives, $policyConfig, $mode );


        return implode( '; ', $directives );

    }


    private function getReportUri( $mode ) {

        $apiArguments = [

            'action' => 'cspreport',

            'format' => 'json'

        ];

        if ( $mode === self::REPORT_ONLY_MODE ) {

            $apiArguments['reportonly'] = '1';

        }

        $reportUri = wfAppendQuery( wfScript( 'api' ), $apiArguments );


        // Per spec, ';' and ',' must be hex-escaped in report URI

        $reportUri = $this->escapeUrlForCSP( $reportUri );

        return $reportUri;

    }


    private function prepareUrlForCSP( $url ) {

        $result = false;

        if ( preg_match( '/^[a-z][a-z0-9+.-]*:$/i', $url ) ) {

            // A schema source (e.g. blob: or data:)

            return $url;

        }

        $bits = wfParseUrl( $url );

        if ( !$bits && strpos( $url, '/' ) === false ) {

            // probably something like example.com.

            // try again protocol-relative.

            $url = '//' . $url;

            $bits = wfParseUrl( $url );

        }

        if ( $bits && isset( $bits['host'] )

            && $bits['host'] !== $this->mwConfig->get( MainConfigNames::ServerName )

        ) {

            $result = $bits['host'];

            if ( $bits['scheme'] !== '' ) {

                $result = $bits['scheme'] . $bits['delimiter'] . $result;

            }

            if ( isset( $bits['port'] ) ) {

                $result .= ':' . $bits['port'];

            }

            $result = $this->escapeUrlForCSP( $result );

        }

        return $result;

    }


    private function getAdditionalSelfUrlsScript() {

        $additionalUrls = [];

        // wgExtensionAssetsPath for ?debug=true mode

        $pathVars = [

            MainConfigNames::LoadScript,

            MainConfigNames::ExtensionAssetsPath,

            MainConfigNames::ResourceBasePath,

        ];


        foreach ( $pathVars as $path ) {

            $url = $this->mwConfig->get( $path );

            $preparedUrl = $this->prepareUrlForCSP( $url );

            if ( $preparedUrl ) {

                $additionalUrls[] = $preparedUrl;

            }

        }

        $RLSources = $this->mwConfig->get( MainConfigNames::ResourceLoaderSources );

        foreach ( $RLSources as $sources ) {

            foreach ( $sources as $value ) {

                $url = $this->prepareUrlForCSP( $value );

                if ( $url ) {

                    $additionalUrls[] = $url;

                }

            }

        }


        return array_unique( $additionalUrls );

    }


    private function getAdditionalSelfUrls() {

        // XXX on a foreign repo, the included description page can have anything on it,

        // including inline scripts. But nobody does that.


        // In principle, you can have even more complex configs... (e.g. The urlsByExt option)

        $pathUrls = [];

        $additionalSelfUrls = [];


        // Future todo: The zone urls should never go into

        // style-src. They should either be only in img-src, or if

        // img-src unspecified they should be in default-src. Similarly,

        // the DescriptionStylesheetUrl only needs to be in style-src

        // (or default-src if style-src unspecified).

        $callback = static function ( $repo, &$urls ) {

            $urls[] = $repo->getZoneUrl( 'public' );

            $urls[] = $repo->getZoneUrl( 'transcoded' );

            $urls[] = $repo->getZoneUrl( 'thumb' );

            $urls[] = $repo->getDescriptionStylesheetUrl();

        };

        $repoGroup = MediaWikiServices::getInstance()->getRepoGroup();

        $localRepo = $repoGroup->getRepo( 'local' );

        $callback( $localRepo, $pathUrls );

        $repoGroup->forEachForeignRepo( $callback, [ &$pathUrls ] );


        // Globals that might point to a different domain

        $pathGlobals = [

            MainConfigNames::LoadScript,

            MainConfigNames::ExtensionAssetsPath,

            MainConfigNames::StylePath,

            MainConfigNames::ResourceBasePath,

        ];

        foreach ( $pathGlobals as $path ) {

            $pathUrls[] = $this->mwConfig->get( $path );

        }

        foreach ( $pathUrls as $path ) {

            $preparedUrl = $this->prepareUrlForCSP( $path );

            if ( $preparedUrl !== false ) {

                $additionalSelfUrls[] = $preparedUrl;

            }

        }

        $RLSources = $this->mwConfig->get( MainConfigNames::ResourceLoaderSources );


        foreach ( $RLSources as $sources ) {

            foreach ( $sources as $value ) {

                $url = $this->prepareUrlForCSP( $value );

                if ( $url ) {

                    $additionalSelfUrls[] = $url;

                }

            }

        }


        return array_unique( $additionalSelfUrls );

    }


    private function getCORSSources() {

        $additionalUrls = [];

        $CORSSources = $this->mwConfig->get( MainConfigNames::CrossSiteAJAXdomains );

        foreach ( $CORSSources as $source ) {

            if ( strpos( $source, '?' ) !== false ) {

                // CSP doesn't support single char wildcard

                continue;

            }

            $url = $this->prepareUrlForCSP( $source );

            if ( $url ) {

                $additionalUrls[] = $url;

            }

        }

        return $additionalUrls;

    }


    private function escapeUrlForCSP( $url ) {

        return str_replace(

            [ ';', ',' ],

            [ '%3B', '%2C' ],

            $url

        );

    }


    public static function falsePositiveBrowser( $ua ) {

        return (bool)preg_match( '!Firefox/4[0-2]\.!', $ua );

    }


    public static function isNonceRequired( Config $config ) {

        $configs = [

            $config->get( MainConfigNames::CSPHeader ),

            $config->get( MainConfigNames::CSPReportOnlyHeader ),

        ];

        return self::isNonceRequiredArray( $configs );

    }


    private static function isNonceRequiredArray( array $configs ) {

        foreach ( $configs as $headerConfig ) {

            if (

                $headerConfig === true ||

                ( is_array( $headerConfig ) &&

                !isset( $headerConfig['useNonces'] ) ) ||

                ( is_array( $headerConfig ) &&

                isset( $headerConfig['useNonces'] ) &&

                $headerConfig['useNonces'] )

            ) {

                return true;

            }

        }

        return false;

    }


    public function getNonce() {

        if ( !self::isNonceRequired( $this->mwConfig ) ) {

            return false;

        }

        $this->nonce ??= base64_encode( random_bytes( 15 ) );


        return $this->nonce;

    }


    public function addDefaultSrc( $source ) {

        $this->extraDefaultSrc[] = $this->prepareUrlForCSP( $source );

    }


    public function addStyleSrc( $source ) {

        $this->extraStyleSrc[] = $this->prepareUrlForCSP( $source );

    }


    public function addScriptSrc( $source ) {

        $this->extraScriptSrc[] = $this->prepareUrlForCSP( $source );

    }


}


class_alias( ContentSecurityPolicy::class, 'ContentSecurityPolicy' );

wfParseUrl
wfParseUrl( $url)
parse_url() work-alike, but non-broken.
Definition GlobalFunctions.php:607

wfAppendQuery
wfAppendQuery( $url, $query)
Append a query string to an existing URL, which may or may not already have query string parameters a...
Definition GlobalFunctions.php:429

wfScript
wfScript( $script='index')
Get the path to a specified script file, respecting file extensions; this is a wrapper around $wgScri...
Definition GlobalFunctions.php:1912

wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition GlobalFunctions.php:893

$path
$path
Definition NoLocalSettings.php:27

MediaWiki\HookContainer\HookContainer
HookContainer class.
Definition HookContainer.php:45

MediaWiki\HookContainer\HookRunner
This class provides an implementation of the core hook interfaces, forwarding hook calls to HookConta...
Definition HookRunner.php:568

MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:22

MediaWiki\MainConfigNames\ServerName
const ServerName
Name constant for the ServerName setting, for use with Config::get()
Definition MainConfigNames.php:52

MediaWiki\MainConfigNames\StylePath
const StylePath
Name constant for the StylePath setting, for use with Config::get()
Definition MainConfigNames.php:106

MediaWiki\MainConfigNames\ExtensionAssetsPath
const ExtensionAssetsPath
Name constant for the ExtensionAssetsPath setting, for use with Config::get()
Definition MainConfigNames.php:118

MediaWiki\MainConfigNames\ResourceBasePath
const ResourceBasePath
Name constant for the ResourceBasePath setting, for use with Config::get()
Definition MainConfigNames.php:2062

MediaWiki\MainConfigNames\ResourceLoaderSources
const ResourceLoaderSources
Name constant for the ResourceLoaderSources setting, for use with Config::get()
Definition MainConfigNames.php:2056

MediaWiki\MainConfigNames\CSPHeader
const CSPHeader
Name constant for the CSPHeader setting, for use with Config::get()
Definition MainConfigNames.php:3025

MediaWiki\MainConfigNames\AllowExternalImages
const AllowExternalImages
Name constant for the AllowExternalImages setting, for use with Config::get()
Definition MainConfigNames.php:2302

MediaWiki\MainConfigNames\EnableImageWhitelist
const EnableImageWhitelist
Name constant for the EnableImageWhitelist setting, for use with Config::get()
Definition MainConfigNames.php:2314

MediaWiki\MainConfigNames\AllowImageTag
const AllowImageTag
Name constant for the AllowImageTag setting, for use with Config::get()
Definition MainConfigNames.php:2321

MediaWiki\MainConfigNames\LoadScript
const LoadScript
Name constant for the LoadScript setting, for use with Config::get()
Definition MainConfigNames.php:94

MediaWiki\MainConfigNames\CSPReportOnlyHeader
const CSPReportOnlyHeader
Name constant for the CSPReportOnlyHeader setting, for use with Config::get()
Definition MainConfigNames.php:3031

MediaWiki\MainConfigNames\AllowExternalImagesFrom
const AllowExternalImagesFrom
Name constant for the AllowExternalImagesFrom setting, for use with Config::get()
Definition MainConfigNames.php:2308

MediaWiki\MainConfigNames\CrossSiteAJAXdomains
const CrossSiteAJAXdomains
Name constant for the CrossSiteAJAXdomains setting, for use with Config::get()
Definition MainConfigNames.php:4181

MediaWiki\MediaWikiServices
Service locator for MediaWiki core services.
Definition MediaWikiServices.php:223

MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition MediaWikiServices.php:290

MediaWiki\Request\ContentSecurityPolicy
Definition ContentSecurityPolicy.php:38

MediaWiki\Request\ContentSecurityPolicy\falsePositiveBrowser
static falsePositiveBrowser( $ua)
Does this browser give false positive reports?
Definition ContentSecurityPolicy.php:515

MediaWiki\Request\ContentSecurityPolicy\sendCSPHeader
sendCSPHeader( $csp, $reportOnly)
Send a single CSP header based on a given policy config.
Definition ContentSecurityPolicy.php:86

MediaWiki\Request\ContentSecurityPolicy\FULL_MODE
const FULL_MODE
Definition ContentSecurityPolicy.php:40

MediaWiki\Request\ContentSecurityPolicy\addDefaultSrc
addDefaultSrc( $source)
If possible you should use a more specific source type then default.
Definition ContentSecurityPolicy.php:580

MediaWiki\Request\ContentSecurityPolicy\sendHeaders
sendHeaders()
Send CSP headers based on wiki config.
Definition ContentSecurityPolicy.php:105

MediaWiki\Request\ContentSecurityPolicy\REPORT_ONLY_MODE
const REPORT_ONLY_MODE
Definition ContentSecurityPolicy.php:39

MediaWiki\Request\ContentSecurityPolicy\getNonce
getNonce()
Get the nonce if nonce is in use.
Definition ContentSecurityPolicy.php:561

MediaWiki\Request\ContentSecurityPolicy\addStyleSrc
addStyleSrc( $source)
So for example, if an extension added a special page that loaded external CSS it might call $this->ge...
Definition ContentSecurityPolicy.php:592

MediaWiki\Request\ContentSecurityPolicy\isNonceRequired
static isNonceRequired(Config $config)
Should we set nonce attribute.
Definition ContentSecurityPolicy.php:525

MediaWiki\Request\ContentSecurityPolicy\__construct
__construct(WebResponse $response, Config $mwConfig, HookContainer $hookContainer)
Definition ContentSecurityPolicy.php:68

MediaWiki\Request\ContentSecurityPolicy\addScriptSrc
addScriptSrc( $source)
So for example, if an extension added a special page that loaded something it might call $this->getOu...
Definition ContentSecurityPolicy.php:605

MediaWiki\Request\WebResponse
Allow programs to request this object from WebRequest::response() and handle all outputting (or lack ...
Definition WebResponse.php:36

Config
Interface for configuration instances.
Definition Config.php:30

Config\get
get( $name)
Get a configuration variable such as "Sitename" or "UploadMaintenance.".

$source
$source
Definition mwdoc-filter.php:34

MediaWiki\Request
Definition ContentSecurityPolicy.php:28