master/php/ContentSecurityPolicy_8php_source.html

<?php

namespace MediaWiki\Request;


use MediaWiki\Config\Config;

use MediaWiki\HookContainer\HookContainer;

use MediaWiki\HookContainer\HookRunner;

use MediaWiki\MainConfigNames;

use MediaWiki\MediaWikiServices;

use UnexpectedValueException;


class ContentSecurityPolicy {

    public const REPORT_ONLY_MODE = 1;

    public const FULL_MODE = 2;


    // Used for uploaded files. Keep in sync with images/.htaccess

    private const UPLOAD_CSP = "default-src 'none'; style-src 'unsafe-inline' data:;" .

        "font-src data:; img-src data: 'self'; media-src data: 'self'; sandbox";

    private const UPLOAD_CSP_PDF = "default-src 'none'; style-src 'unsafe-inline' data:; object-src 'self';" .

        "font-src data:; img-src data: 'self'; media-src data: 'self';";


    private $mwConfig;

    private $response;


    private $extraDefaultSrc = [];

    private $extraScriptSrc = [];

    private $extraStyleSrc = [];


    private $hookRunner;


    public function __construct(

        WebResponse $response,

        Config $mwConfig,

        HookContainer $hookContainer

    ) {

        $this->response = $response;

        $this->mwConfig = $mwConfig;

        $this->hookRunner = new HookRunner( $hookContainer );

    }


    public function getDirectives() {

        $cspConfig = $this->mwConfig->get( MainConfigNames::CSPHeader );

        $cspConfigReportOnly = $this->mwConfig->get( MainConfigNames::CSPReportOnlyHeader );


        $cspPolicy = $this->makeCSPDirectives( $cspConfig, self::FULL_MODE );

        $cspReportOnlyPolicy = $this->makeCSPDirectives( $cspConfigReportOnly, self::REPORT_ONLY_MODE );


        return array_filter( [

            $this->getHeaderName( self::FULL_MODE ) => $cspPolicy,

            $this->getHeaderName( self::REPORT_ONLY_MODE ) => $cspReportOnlyPolicy,

        ] );

    }


    public function sendHeaders() {

        $directives = $this->getDirectives();

        foreach ( $directives as $headerName => $policy ) {

            $this->response->header( "$headerName: $policy" );

        }


        // This used to insert a <meta> tag here, per advice at

        // https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/

        // The goal was to prevent nonce from working after the page hit onready,

        // This would help in old browsers that didn't support nonces, and

        // also assist for Varnish-cached pages which repeat nonces.

        // However, this is incompatible with how ResourceLoader runs code

        // from mw.loader.store, so it was removed.

    }


    private function getHeaderName( $reportOnly ) {

        if ( $reportOnly === self::REPORT_ONLY_MODE ) {

            return 'Content-Security-Policy-Report-Only';

        }


        if ( $reportOnly === self::FULL_MODE ) {

            return 'Content-Security-Policy';

        }

        throw new UnexpectedValueException( "Mode '$reportOnly' not recognised" );

    }


    private function makeCSPDirectives( $policyConfig, $mode ) {

        if ( $policyConfig === false ) {

            // CSP is disabled

            return '';

        }

        if ( $policyConfig === true ) {

            $policyConfig = [];

        }


        $mwConfig = $this->mwConfig;


        if (

            self::isNonceRequired( $mwConfig ) ||

            self::isNonceRequiredArray( [ $policyConfig ] )

        ) {

            wfDeprecated( 'wgCSPHeader "useNonces" option', '1.41' );

        }


        $additionalSelfUrls = $this->getAdditionalSelfUrls();

        $additionalSelfUrlsScript = $this->getAdditionalSelfUrlsScript();


        // If no default-src is sent at all, it seems browsers (or at least some),

        // interpret that as allow anything, but the spec seems to imply that

        // "data:" and "blob:" should be blocked.

        $defaultSrc = [ '*', 'data:', 'blob:' ];


        $imgSrc = false;

        $scriptSrc = [ "'unsafe-eval'", "blob:", "'self'" ];


        $scriptSrc = array_merge( $scriptSrc, $additionalSelfUrlsScript );

        if ( isset( $policyConfig['script-src'] )

            && is_array( $policyConfig['script-src'] )

        ) {

            foreach ( $policyConfig['script-src'] as $src ) {

                $scriptSrc[] = $this->escapeUrlForCSP( $src );

            }

        }

        // Note: default on if unspecified.

        if ( $policyConfig['unsafeFallback'] ?? true ) {

            // unsafe-inline should be ignored on browsers that support 'nonce-foo' sources.

            // Some older versions of firefox don't follow this rule, but new browsers do.

            // (Should be for at least Firefox 40+).

            $scriptSrc[] = "'unsafe-inline'";

        }

        // If default source option set to true or an array of urls,

        // set a restrictive default-src.

        // If set to false, we send a lenient default-src,

        // see the code above where $defaultSrc is set initially.

        if ( isset( $policyConfig['default-src'] )

            && $policyConfig['default-src'] !== false

        ) {

            $defaultSrc = [ "'self'", 'data:', 'blob:', ...$additionalSelfUrls ];

            if ( is_array( $policyConfig['default-src'] ) ) {

                foreach ( $policyConfig['default-src'] as $src ) {

                    $defaultSrc[] = $this->escapeUrlForCSP( $src );

                }

            }

        }


        if ( $policyConfig['includeCORS'] ?? true ) {

            $CORSUrls = $this->getCORSSources();

            if ( !in_array( '*', $defaultSrc ) ) {

                $defaultSrc = array_merge( $defaultSrc, $CORSUrls );

            }

            // Unlikely to have * in scriptSrc, but doesn't

            // hurt to check.

            if ( !in_array( '*', $scriptSrc ) ) {

                $scriptSrc = array_merge( $scriptSrc, $CORSUrls );

            }

        }


        $defaultSrc = array_merge( $defaultSrc, $this->extraDefaultSrc );

        $scriptSrc = array_merge( $scriptSrc, $this->extraScriptSrc );


        $cssSrc = array_merge( $defaultSrc, $this->extraStyleSrc, [ "'unsafe-inline'" ] );


        $this->hookRunner->onContentSecurityPolicyDefaultSource( $defaultSrc, $policyConfig, $mode );

        $this->hookRunner->onContentSecurityPolicyScriptSource( $scriptSrc, $policyConfig, $mode );


        if ( isset( $policyConfig['report-uri'] ) && $policyConfig['report-uri'] !== true ) {

            if ( $policyConfig['report-uri'] === false ) {

                $reportUri = false;

            } else {

                $reportUri = $this->escapeUrlForCSP( $policyConfig['report-uri'] );

            }

        } else {

            $reportUri = $this->getReportUri( $mode );

        }


        // Only send an img-src, if we're sending a restrictive default.

        if ( !is_array( $defaultSrc )

            || !in_array( '*', $defaultSrc )

            || !in_array( 'data:', $defaultSrc )

            || !in_array( 'blob:', $defaultSrc )

        ) {

            // A future todo might be to make the allow options only

            // add all the allowed sites to the header, instead of

            // allowing all (Assuming there is a small number of sites).

            // For now, the external image feature disables the limits

            // CSP puts on external images.

            if ( $mwConfig->get( MainConfigNames::AllowExternalImages )

                || $mwConfig->get( MainConfigNames::AllowExternalImagesFrom )

            ) {

                $imgSrc = [ '*', 'data:', 'blob:' ];

            } elseif ( $mwConfig->get( MainConfigNames::EnableImageWhitelist ) ) {

                $whitelist = wfMessage( 'external_image_whitelist' )

                    ->inContentLanguage()

                    ->plain();

                if ( preg_match( '/^\s*[^\s#]/m', $whitelist ) ) {

                    $imgSrc = [ '*', 'data:', 'blob:' ];

                }

            }

        }

        // Default value 'none'. true is none, false is nothing, string is single directive,

        // array is list.

        if ( !isset( $policyConfig['object-src'] ) || $policyConfig['object-src'] === true ) {

            $objectSrc = [ "'none'" ];

        } else {

            $objectSrc = (array)( $policyConfig['object-src'] ?: [] );

        }

        $objectSrc = array_map( $this->escapeUrlForCSP( ... ), $objectSrc );


        $directives = [];

        if ( $scriptSrc ) {

            $directives[] = 'script-src ' . implode( ' ', array_unique( $scriptSrc ) );

        }

        if ( $defaultSrc ) {

            $directives[] = 'default-src ' . implode( ' ', array_unique( $defaultSrc ) );

        }

        if ( $cssSrc ) {

            $directives[] = 'style-src ' . implode( ' ', array_unique( $cssSrc ) );

        }

        if ( $imgSrc ) {

            $directives[] = 'img-src ' . implode( ' ', array_unique( $imgSrc ) );

        }

        if ( $objectSrc ) {

            $directives[] = 'object-src ' . implode( ' ', $objectSrc );

        }

        if ( $reportUri ) {

            $directives[] = 'report-uri ' . $reportUri;

        }


        $this->hookRunner->onContentSecurityPolicyDirectives( $directives, $policyConfig, $mode );


        return implode( '; ', $directives );

    }


    private function getReportUri( $mode ) {

        $apiArguments = [

            'action' => 'cspreport',

            'format' => 'json'

        ];

        if ( $mode === self::REPORT_ONLY_MODE ) {

            $apiArguments['reportonly'] = '1';

        }

        $reportUri = wfAppendQuery( wfScript( 'api' ), $apiArguments );


        // Per spec, ';' and ',' must be hex-escaped in report URI

        $reportUri = $this->escapeUrlForCSP( $reportUri );

        return $reportUri;

    }


    private function prepareUrlForCSP( $url ) {

        $result = false;

        if ( preg_match( '/^[a-z][a-z0-9+.-]*:$/i', $url ) ) {

            // A schema source (e.g. blob: or data:)

            return $url;

        }

        $bits = wfGetUrlUtils()->parse( $url );

        if ( !$bits && !str_contains( $url, '/' ) ) {

            // probably something like example.com.

            // try again protocol-relative.

            $url = '//' . $url;

            $bits = wfGetUrlUtils()->parse( $url );

        }

        if ( $bits && isset( $bits['host'] )

            && $bits['host'] !== $this->mwConfig->get( MainConfigNames::ServerName )

        ) {

            $result = $bits['host'];

            if ( $bits['scheme'] !== '' ) {

                $result = $bits['scheme'] . $bits['delimiter'] . $result;

            }

            if ( isset( $bits['port'] ) ) {

                $result .= ':' . $bits['port'];

            }

            $result = $this->escapeUrlForCSP( $result );

        }

        return $result;

    }


    private function getAdditionalSelfUrlsScript() {

        $additionalUrls = [];

        // wgExtensionAssetsPath for ?debug=true mode

        $pathVars = [

            MainConfigNames::LoadScript,

            MainConfigNames::ExtensionAssetsPath,

            MainConfigNames::ResourceBasePath,

        ];


        foreach ( $pathVars as $path ) {

            $url = $this->mwConfig->get( $path );

            $preparedUrl = $this->prepareUrlForCSP( $url );

            if ( $preparedUrl ) {

                $additionalUrls[] = $preparedUrl;

            }

        }

        $RLSources = $this->mwConfig->get( MainConfigNames::ResourceLoaderSources );

        foreach ( $RLSources as $sources ) {

            foreach ( $sources as $value ) {

                $url = $this->prepareUrlForCSP( $value );

                if ( $url ) {

                    $additionalUrls[] = $url;

                }

            }

        }


        return array_unique( $additionalUrls );

    }


    private function getAdditionalSelfUrls() {

        // XXX on a foreign repo, the included description page can have anything on it,

        // including inline scripts. But nobody does that.


        // In principle, you can have even more complex configs... (e.g. The urlsByExt option)

        $pathUrls = [];

        $additionalSelfUrls = [];


        // Future todo: The zone urls should never go into

        // style-src. They should either be only in img-src, or if

        // img-src unspecified they should be in default-src. Similarly,

        // the DescriptionStylesheetUrl only needs to be in style-src

        // (or default-src if style-src unspecified).

        $callback = static function ( $repo, &$urls ) {

            $urls[] = $repo->getZoneUrl( 'public' );

            $urls[] = $repo->getZoneUrl( 'transcoded' );

            $urls[] = $repo->getZoneUrl( 'thumb' );

            $urls[] = $repo->getDescriptionStylesheetUrl();

        };

        $repoGroup = MediaWikiServices::getInstance()->getRepoGroup();

        $localRepo = $repoGroup->getRepo( 'local' );

        $callback( $localRepo, $pathUrls );

        $repoGroup->forEachForeignRepo( $callback, [ &$pathUrls ] );


        // Globals that might point to a different domain

        $pathGlobals = [

            MainConfigNames::LoadScript,

            MainConfigNames::ExtensionAssetsPath,

            MainConfigNames::StylePath,

            MainConfigNames::ResourceBasePath,

        ];

        foreach ( $pathGlobals as $path ) {

            $pathUrls[] = $this->mwConfig->get( $path );

        }

        foreach ( $pathUrls as $path ) {

            $preparedUrl = $this->prepareUrlForCSP( $path );

            if ( $preparedUrl !== false ) {

                $additionalSelfUrls[] = $preparedUrl;

            }

        }

        $RLSources = $this->mwConfig->get( MainConfigNames::ResourceLoaderSources );


        foreach ( $RLSources as $sources ) {

            foreach ( $sources as $value ) {

                $url = $this->prepareUrlForCSP( $value );

                if ( $url ) {

                    $additionalSelfUrls[] = $url;

                }

            }

        }


        return array_unique( $additionalSelfUrls );

    }


    private function getCORSSources() {

        $additionalUrls = [];

        $CORSSources = $this->mwConfig->get( MainConfigNames::CrossSiteAJAXdomains );

        foreach ( $CORSSources as $source ) {

            if ( str_contains( $source, '?' ) ) {

                // CSP doesn't support single char wildcard

                continue;

            }

            $url = $this->prepareUrlForCSP( $source );

            if ( $url ) {

                $additionalUrls[] = $url;

            }

        }

        return $additionalUrls;

    }


    private function escapeUrlForCSP( $url ) {

        return str_replace(

            [ ';', ',' ],

            [ '%3B', '%2C' ],

            $url

        );

    }


    public static function falsePositiveBrowser( $ua ) {

        return (bool)preg_match( '!Firefox/4[0-2]\.!', $ua );

    }


    public static function isNonceRequired( Config $config ) {

        $configs = [

            $config->get( MainConfigNames::CSPHeader ),

            $config->get( MainConfigNames::CSPReportOnlyHeader ),

        ];

        return self::isNonceRequiredArray( $configs );

    }


    private static function isNonceRequiredArray( array $configs ) {

        foreach ( $configs as $headerConfig ) {

            if (

                is_array( $headerConfig ) &&

                isset( $headerConfig['useNonces'] ) &&

                $headerConfig['useNonces']

            ) {

                return true;

            }

        }

        return false;

    }


    public function getNonce() {

        return false;

    }


    public function addDefaultSrc( $source ) {

        $this->extraDefaultSrc[] = $this->prepareUrlForCSP( $source );

    }


    public function addStyleSrc( $source ) {

        $this->extraStyleSrc[] = $this->prepareUrlForCSP( $source );

    }


    public function addScriptSrc( $source ) {

        $this->extraScriptSrc[] = $this->prepareUrlForCSP( $source );

    }


    public static function getMediaHeader( string $filename ) {

        $config = MediaWikiServices::getInstance()->getMainConfig();

        if ( !$config->get( MainConfigNames::CSPUploadEntryPoint ) ) {

            return null;

        }

        // Some browsers (Chrome) require allowing objects to

        // render PDFs. Generally plugins are slightly higher-risk

        // so only allow it on pdf files.

        if ( strtolower( substr( $filename, -4 ) ) === '.pdf' ) {

            return self::UPLOAD_CSP_PDF;

        }

        return self::UPLOAD_CSP;

    }


    public static function sendRestrictiveHeader() {

        // Intentionally don't use WebResponse, since we want to use this in

        // exception handler, so avoid unnecessary dependencies. Still allow

        // default-src of 'self' for favicon and whatnot. This doesn't include

        // default-src data or style-src 'unsafe-inline', which would be fairly

        // safe, but we are trying to be minimal here.

        header( "Content-Security-Policy: default-src 'self'; script-src 'none'; object-src 'none'" );

    }


}


wfGetUrlUtils
wfGetUrlUtils()
Definition GlobalFunctions.php:462

wfAppendQuery
wfAppendQuery( $url, $query)
Append a query string to an existing URL, which may or may not already have query string parameters a...
Definition GlobalFunctions.php:428

wfScript
wfScript( $script='index')
Get the URL path to a MediaWiki entry point.
Definition GlobalFunctions.php:1777

wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition GlobalFunctions.php:820

wfDeprecated
wfDeprecated( $function, $version=false, $component=false, $callerOffset=2)
Logs a warning that a deprecated feature was used.
Definition GlobalFunctions.php:735

$path
$path
Definition NoLocalSettings.php:14

MediaWiki\HookContainer\HookContainer
HookContainer class.
Definition HookContainer.php:42

MediaWiki\HookContainer\HookRunner
This class provides an implementation of the core hook interfaces, forwarding hook calls to HookConta...
Definition HookRunner.php:590

MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:22

MediaWiki\MainConfigNames\ServerName
const ServerName
Name constant for the ServerName setting, for use with Config::get()
Definition MainConfigNames.php:52

MediaWiki\MainConfigNames\StylePath
const StylePath
Name constant for the StylePath setting, for use with Config::get()
Definition MainConfigNames.php:106

MediaWiki\MainConfigNames\ExtensionAssetsPath
const ExtensionAssetsPath
Name constant for the ExtensionAssetsPath setting, for use with Config::get()
Definition MainConfigNames.php:118

MediaWiki\MainConfigNames\ResourceBasePath
const ResourceBasePath
Name constant for the ResourceBasePath setting, for use with Config::get()
Definition MainConfigNames.php:2114

MediaWiki\MainConfigNames\ResourceLoaderSources
const ResourceLoaderSources
Name constant for the ResourceLoaderSources setting, for use with Config::get()
Definition MainConfigNames.php:2108

MediaWiki\MainConfigNames\CSPHeader
const CSPHeader
Name constant for the CSPHeader setting, for use with Config::get()
Definition MainConfigNames.php:3153

MediaWiki\MainConfigNames\AllowExternalImages
const AllowExternalImages
Name constant for the AllowExternalImages setting, for use with Config::get()
Definition MainConfigNames.php:2361

MediaWiki\MainConfigNames\CSPUploadEntryPoint
const CSPUploadEntryPoint
Name constant for the CSPUploadEntryPoint setting, for use with Config::get()
Definition MainConfigNames.php:474

MediaWiki\MainConfigNames\EnableImageWhitelist
const EnableImageWhitelist
Name constant for the EnableImageWhitelist setting, for use with Config::get()
Definition MainConfigNames.php:2373

MediaWiki\MainConfigNames\LoadScript
const LoadScript
Name constant for the LoadScript setting, for use with Config::get()
Definition MainConfigNames.php:94

MediaWiki\MainConfigNames\CSPReportOnlyHeader
const CSPReportOnlyHeader
Name constant for the CSPReportOnlyHeader setting, for use with Config::get()
Definition MainConfigNames.php:3159

MediaWiki\MainConfigNames\AllowExternalImagesFrom
const AllowExternalImagesFrom
Name constant for the AllowExternalImagesFrom setting, for use with Config::get()
Definition MainConfigNames.php:2367

MediaWiki\MainConfigNames\CrossSiteAJAXdomains
const CrossSiteAJAXdomains
Name constant for the CrossSiteAJAXdomains setting, for use with Config::get()
Definition MainConfigNames.php:4290

MediaWiki\MediaWikiServices
Service locator for MediaWiki core services.
Definition MediaWikiServices.php:257

MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition MediaWikiServices.php:345

MediaWiki\Request\ContentSecurityPolicy
Handle sending Content-Security-Policy headers.
Definition ContentSecurityPolicy.php:23

MediaWiki\Request\ContentSecurityPolicy\falsePositiveBrowser
static falsePositiveBrowser( $ua)
Does this browser give false positive reports?
Definition ContentSecurityPolicy.php:493

MediaWiki\Request\ContentSecurityPolicy\FULL_MODE
const FULL_MODE
Definition ContentSecurityPolicy.php:25

MediaWiki\Request\ContentSecurityPolicy\addDefaultSrc
addDefaultSrc( $source)
If possible you should use a more specific source type then default.
Definition ContentSecurityPolicy.php:552

MediaWiki\Request\ContentSecurityPolicy\sendHeaders
sendHeaders()
Send CSP headers based on wiki config.
Definition ContentSecurityPolicy.php:97

MediaWiki\Request\ContentSecurityPolicy\getMediaHeader
static getMediaHeader(string $filename)
Get the CSP header for a specific file.
Definition ContentSecurityPolicy.php:591

MediaWiki\Request\ContentSecurityPolicy\REPORT_ONLY_MODE
const REPORT_ONLY_MODE
Definition ContentSecurityPolicy.php:24

MediaWiki\Request\ContentSecurityPolicy\getNonce
getNonce()
Get the nonce if nonce is in use.
Definition ContentSecurityPolicy.php:538

MediaWiki\Request\ContentSecurityPolicy\addStyleSrc
addStyleSrc( $source)
So for example, if an extension added a special page that loaded external CSS it might call $this->ge...
Definition ContentSecurityPolicy.php:564

MediaWiki\Request\ContentSecurityPolicy\isNonceRequired
static isNonceRequired(Config $config)
Should we set nonce attribute.
Definition ContentSecurityPolicy.php:503

MediaWiki\Request\ContentSecurityPolicy\__construct
__construct(WebResponse $response, Config $mwConfig, HookContainer $hookContainer)
Definition ContentSecurityPolicy.php:57

MediaWiki\Request\ContentSecurityPolicy\addScriptSrc
addScriptSrc( $source)
So for example, if an extension added a special page that loaded something it might call $this->getOu...
Definition ContentSecurityPolicy.php:577

MediaWiki\Request\ContentSecurityPolicy\getDirectives
getDirectives()
Get the CSP directives for the wiki.
Definition ContentSecurityPolicy.php:75

MediaWiki\Request\ContentSecurityPolicy\sendRestrictiveHeader
static sendRestrictiveHeader()
Output a very restrictive CSP header to disallow all active content.
Definition ContentSecurityPolicy.php:615

MediaWiki\Request\WebResponse
Allow programs to request this object from WebRequest::response() and handle all outputting (or lack ...
Definition WebResponse.php:25

MediaWiki\Config\Config
Interface for configuration instances.
Definition Config.php:18

MediaWiki\Config\Config\get
get( $name)
Get a configuration variable such as "Sitename" or "UploadMaintenance.".

$source
$source
Definition mwdoc-filter.php:36

MediaWiki\Request
Definition ContentSecurityPolicy.php:7

$url
$url
Definition opensearch_desc.php:23