MediaWiki REL1_40
Public Member Functions | Static Public Member Functions | Public Attributes | List of all members
MediaWiki\Request\ContentSecurityPolicy Class Reference

Public Member Functions

 __construct (WebResponse $response, Config $mwConfig, HookContainer $hookContainer)
 
 addDefaultSrc ( $source)
 If possible you should use a more specific source type then default.
 
 addScriptSrc ( $source)
 So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );.
 
 addStyleSrc ( $source)
 So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );.
 
 getNonce ()
 Get the nonce if nonce is in use.
 
 sendCSPHeader ( $csp, $reportOnly)
 Send a single CSP header based on a given policy config.
 
 sendHeaders ()
 Send CSP headers based on wiki config.
 

Static Public Member Functions

static falsePositiveBrowser ( $ua)
 Does this browser give false positive reports?
 
static isNonceRequired (Config $config)
 Should we set nonce attribute.
 

Public Attributes

const FULL_MODE = 2
 
const REPORT_ONLY_MODE = 1
 

Detailed Description

Definition at line 38 of file ContentSecurityPolicy.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Request\ContentSecurityPolicy::__construct ( WebResponse $response,
Config $mwConfig,
HookContainer $hookContainer )
Note
As a general rule, you would not construct this class directly but use the instance from OutputPage::getCSP()
Access: internal
Parameters
WebResponse$response
Config$mwConfig
HookContainer$hookContainer
Since
1.35 Method signature changed

Definition at line 68 of file ContentSecurityPolicy.php.

Member Function Documentation

◆ addDefaultSrc()

MediaWiki\Request\ContentSecurityPolicy::addDefaultSrc ( $source)

If possible you should use a more specific source type then default.

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addDefaultSrc( '*.example.com' );

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 580 of file ContentSecurityPolicy.php.

References $source.

◆ addScriptSrc()

MediaWiki\Request\ContentSecurityPolicy::addScriptSrc ( $source)

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );.

Since
1.35
Warning
Be careful including external scripts, as they can take over accounts.
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 605 of file ContentSecurityPolicy.php.

References $source.

◆ addStyleSrc()

MediaWiki\Request\ContentSecurityPolicy::addStyleSrc ( $source)

So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );.

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 592 of file ContentSecurityPolicy.php.

References $source.

◆ falsePositiveBrowser()

static MediaWiki\Request\ContentSecurityPolicy::falsePositiveBrowser ( $ua)
static

Does this browser give false positive reports?

Some versions of firefox (40-42) incorrectly report a csp violation for nonce sources, despite allowing them.

See also
https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
Parameters
string$uaUser-agent header
Returns
bool

Definition at line 515 of file ContentSecurityPolicy.php.

◆ getNonce()

MediaWiki\Request\ContentSecurityPolicy::getNonce ( )

Get the nonce if nonce is in use.

Since
1.35
Returns
bool|string A random (base64) string or false if not used.

Definition at line 561 of file ContentSecurityPolicy.php.

◆ isNonceRequired()

static MediaWiki\Request\ContentSecurityPolicy::isNonceRequired ( Config $config)
static

Should we set nonce attribute.

Parameters
Config$config
Returns
bool

Definition at line 525 of file ContentSecurityPolicy.php.

References MediaWiki\MainConfigNames\CSPHeader, MediaWiki\MainConfigNames\CSPReportOnlyHeader, and Config\get().

◆ sendCSPHeader()

MediaWiki\Request\ContentSecurityPolicy::sendCSPHeader ( $csp,
$reportOnly )

Send a single CSP header based on a given policy config.

Note
Most callers will probably want ContentSecurityPolicy::sendHeaders() instead.
Access: internal
Parameters
array | bool$cspContentSecurityPolicy configuration
int$reportOnlyself::*_MODE constant

Definition at line 86 of file ContentSecurityPolicy.php.

Referenced by MediaWiki\Request\ContentSecurityPolicy\sendHeaders().

◆ sendHeaders()

MediaWiki\Request\ContentSecurityPolicy::sendHeaders ( )

Send CSP headers based on wiki config.

Main method that callers (OutputPage) are expected to use. As a general rule, you would never call this in an extension unless you have disabled OutputPage and are fully controlling the output.

Since
1.35

Definition at line 105 of file ContentSecurityPolicy.php.

References MediaWiki\MainConfigNames\CSPHeader, MediaWiki\MainConfigNames\CSPReportOnlyHeader, and MediaWiki\Request\ContentSecurityPolicy\sendCSPHeader().

Member Data Documentation

◆ FULL_MODE

const MediaWiki\Request\ContentSecurityPolicy::FULL_MODE = 2

Definition at line 40 of file ContentSecurityPolicy.php.

◆ REPORT_ONLY_MODE

const MediaWiki\Request\ContentSecurityPolicy::REPORT_ONLY_MODE = 1

Definition at line 39 of file ContentSecurityPolicy.php.

The documentation for this class was generated from the following file: