MediaWiki  master
ContentSecurityPolicy Class Reference
Collaboration diagram for ContentSecurityPolicy:

Public Member Functions

 __construct (WebResponse $response, Config $mwConfig, HookContainer $hookContainer)
 
 addDefaultSrc ( $source)
 Add an additional default src. More...
 
 addScriptSrc ( $source)
 Add an additional script src. More...
 
 addStyleSrc ( $source)
 Add an additional CSS src. More...
 
 getNonce ()
 Get the nonce if nonce is in use. More...
 
 sendCSPHeader ( $csp, $reportOnly)
 Send a single CSP header based on a given policy config. More...
 
 sendHeaders ()
 Send CSP headers based on wiki config. More...
 

Static Public Member Functions

static falsePositiveBrowser ( $ua)
 Does this browser give false positive reports? More...
 
static isNonceRequired (Config $config)
 Should we set nonce attribute. More...
 

Public Attributes

const FULL_MODE = 2
 
const REPORT_ONLY_MODE = 1
 

Private Member Functions

 escapeUrlForCSP ( $url)
 CSP spec says ',' and ';' are not allowed to appear in urls. More...
 
 getAdditionalSelfUrls ()
 Get additional host names for the wiki (e.g. More...
 
 getAdditionalSelfUrlsScript ()
 Get additional script sources. More...
 
 getCORSSources ()
 include domains that are allowed to send us CORS requests. More...
 
 getHeaderName ( $reportOnly)
 Get the name of the HTTP header to use. More...
 
 getReportUri ( $mode)
 Get the default report uri. More...
 
 makeCSPDirectives ( $policyConfig, $mode)
 Determine what CSP policies to set for this page. More...
 
 prepareUrlForCSP ( $url)
 Given a url, convert to form needed for CSP. More...
 

Static Private Member Functions

static isNonceRequiredArray (array $configs)
 Does a specific config require a nonce. More...
 

Private Attributes

array $extraDefaultSrc = []
 
array $extraScriptSrc = []
 
array $extraStyleSrc = []
 
HookRunner $hookRunner
 
Config $mwConfig
 The site configuration object. More...
 
string $nonce
 The nonce to use for inline scripts (from OutputPage) More...
 
WebResponse $response
 

Detailed Description

Definition at line 32 of file ContentSecurityPolicy.php.

Constructor & Destructor Documentation

◆ __construct()

ContentSecurityPolicy::__construct ( WebResponse  $response,
Config  $mwConfig,
HookContainer  $hookContainer 
)
Note
As a general rule, you would not construct this class directly but use the instance from OutputPage::getCSP()

Definition at line 62 of file ContentSecurityPolicy.php.

References $mwConfig, and $response.

Member Function Documentation

◆ addDefaultSrc()

ContentSecurityPolicy::addDefaultSrc (   $source)

Add an additional default src.

If possible you should use a more specific source type then default.

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addDefaultSrc( '*.example.com' );

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 572 of file ContentSecurityPolicy.php.

References $source, and prepareUrlForCSP().

◆ addScriptSrc()

ContentSecurityPolicy::addScriptSrc (   $source)

Add an additional script src.

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );

Since
1.35
Warning
Be careful including external scripts, as they can take over accounts.
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 601 of file ContentSecurityPolicy.php.

References $source, and prepareUrlForCSP().

◆ addStyleSrc()

ContentSecurityPolicy::addStyleSrc (   $source)

Add an additional CSS src.

So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 586 of file ContentSecurityPolicy.php.

References $source, and prepareUrlForCSP().

◆ escapeUrlForCSP()

ContentSecurityPolicy::escapeUrlForCSP (   $url)
private

CSP spec says ',' and ';' are not allowed to appear in urls.

Note
This assumes that normal escaping has been applied to the url
Parameters
string$urlURL (or possibly just part of one)
Returns
string

Definition at line 484 of file ContentSecurityPolicy.php.

Referenced by getReportUri(), makeCSPDirectives(), and prepareUrlForCSP().

◆ falsePositiveBrowser()

static ContentSecurityPolicy::falsePositiveBrowser (   $ua)
static

Does this browser give false positive reports?

Some versions of firefox (40-42) incorrectly report a csp violation for nonce sources, despite allowing them.

See also
https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
Parameters
string$uaUser-agent header
Returns
bool

Definition at line 502 of file ContentSecurityPolicy.php.

Referenced by ApiCSPReport\getFlags().

◆ getAdditionalSelfUrls()

ContentSecurityPolicy::getAdditionalSelfUrls ( )
private

Get additional host names for the wiki (e.g.

if static content loaded elsewhere)

Note
These are general load sources, not script sources
Returns
array Array of other urls for wiki (for use in default-src)

Definition at line 400 of file ContentSecurityPolicy.php.

References $path, and prepareUrlForCSP().

Referenced by makeCSPDirectives().

◆ getAdditionalSelfUrlsScript()

ContentSecurityPolicy::getAdditionalSelfUrlsScript ( )
private

Get additional script sources.

Returns
array Additional sources for loading scripts from

Definition at line 369 of file ContentSecurityPolicy.php.

References $path, and prepareUrlForCSP().

Referenced by makeCSPDirectives().

◆ getCORSSources()

ContentSecurityPolicy::getCORSSources ( )
private

include domains that are allowed to send us CORS requests.

Technically, $wgCrossSiteAJAXdomains lists things that are allowed to talk to us not things that we are allowed to talk to - but if something is allowed to talk to us, then there is a good chance that we should probably be allowed to talk to it.

This is configurable with the 'includeCORS' key in the CSP config, and enabled by default.

Note
CORS domains with single character ('?') wildcards, are not included.
Returns
array Additional hosts

Definition at line 461 of file ContentSecurityPolicy.php.

References $source, and prepareUrlForCSP().

Referenced by makeCSPDirectives().

◆ getHeaderName()

ContentSecurityPolicy::getHeaderName (   $reportOnly)
private

Get the name of the HTTP header to use.

Parameters
int$reportOnlyEither self::REPORT_ONLY_MODE or self::FULL_MODE
Returns
string Name of http header
Exceptions
UnexpectedValueException

Definition at line 120 of file ContentSecurityPolicy.php.

Referenced by sendCSPHeader().

◆ getNonce()

ContentSecurityPolicy::getNonce ( )

Get the nonce if nonce is in use.

Since
1.35
Returns
bool|string A random (base64) string or false if not used.

Definition at line 548 of file ContentSecurityPolicy.php.

References $nonce.

Referenced by makeCSPDirectives().

◆ getReportUri()

ContentSecurityPolicy::getReportUri (   $mode)
private

Get the default report uri.

Parameters
int$modeself::*_MODE constant.
Returns
string The URI to send reports to.
Exceptions
UnexpectedValueExceptionif given invalid mode.

Definition at line 306 of file ContentSecurityPolicy.php.

References escapeUrlForCSP(), wfAppendQuery(), and wfScript().

Referenced by makeCSPDirectives().

◆ isNonceRequired()

static ContentSecurityPolicy::isNonceRequired ( Config  $config)
static

Should we set nonce attribute.

Parameters
Config$configConfiguration object
Returns
bool

Definition at line 512 of file ContentSecurityPolicy.php.

References Config\get(), and isNonceRequiredArray().

Referenced by Html\inlineScript(), and Html\linkedScript().

◆ isNonceRequiredArray()

static ContentSecurityPolicy::isNonceRequiredArray ( array  $configs)
staticprivate

Does a specific config require a nonce.

Parameters
array$configsAn array of CSP config arrays
Returns
bool

Definition at line 526 of file ContentSecurityPolicy.php.

Referenced by isNonceRequired().

◆ makeCSPDirectives()

ContentSecurityPolicy::makeCSPDirectives (   $policyConfig,
  $mode 
)
private

Determine what CSP policies to set for this page.

Parameters
array | bool$policyConfigPolicy configuration (Either $wgCSPHeader or $wgCSPReportOnlyHeader)
int$modeself::REPORT_ONLY_MODE, self::FULL_MODE
Returns
string Policy directives, or empty string for no policy.

Definition at line 139 of file ContentSecurityPolicy.php.

References $mwConfig, escapeUrlForCSP(), Config\get(), getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), getCORSSources(), getNonce(), getReportUri(), and wfMessage().

Referenced by sendCSPHeader().

◆ prepareUrlForCSP()

ContentSecurityPolicy::prepareUrlForCSP (   $url)
private

Given a url, convert to form needed for CSP.

Currently this does either scheme + host, or if protocol relative, just the host. Future versions could potentially preserve some of the path, if its determined that that would be a good idea.

Note
This does the extra escaping for CSP, but assumes the url has already had normal url escaping applied.
This discards urls same as server name, as 'self' directive takes care of that.
Parameters
string$url
Returns
string|bool Converted url or false on failure

Definition at line 336 of file ContentSecurityPolicy.php.

References escapeUrlForCSP(), and wfParseUrl().

Referenced by addDefaultSrc(), addScriptSrc(), addStyleSrc(), getAdditionalSelfUrls(), getAdditionalSelfUrlsScript(), and getCORSSources().

◆ sendCSPHeader()

ContentSecurityPolicy::sendCSPHeader (   $csp,
  $reportOnly 
)

Send a single CSP header based on a given policy config.

Note
Most callers will probably want ContentSecurityPolicy::sendHeaders() instead.

Definition at line 78 of file ContentSecurityPolicy.php.

References getHeaderName(), and makeCSPDirectives().

Referenced by sendHeaders().

◆ sendHeaders()

ContentSecurityPolicy::sendHeaders ( )

Send CSP headers based on wiki config.

Main method that callers (OutputPage) are expected to use. As a general rule, you would never call this in an extension unless you have disabled OutputPage and are fully controlling the output.

Since
1.35

Definition at line 97 of file ContentSecurityPolicy.php.

References sendCSPHeader().

Member Data Documentation

◆ $extraDefaultSrc

array ContentSecurityPolicy::$extraDefaultSrc = []
private

Definition at line 44 of file ContentSecurityPolicy.php.

◆ $extraScriptSrc

array ContentSecurityPolicy::$extraScriptSrc = []
private

Definition at line 46 of file ContentSecurityPolicy.php.

◆ $extraStyleSrc

array ContentSecurityPolicy::$extraStyleSrc = []
private

Definition at line 48 of file ContentSecurityPolicy.php.

◆ $hookRunner

HookRunner ContentSecurityPolicy::$hookRunner
private

Definition at line 51 of file ContentSecurityPolicy.php.

◆ $mwConfig

Config ContentSecurityPolicy::$mwConfig
private

The site configuration object.

Definition at line 39 of file ContentSecurityPolicy.php.

Referenced by __construct(), and makeCSPDirectives().

◆ $nonce

string ContentSecurityPolicy::$nonce
private

The nonce to use for inline scripts (from OutputPage)

Definition at line 37 of file ContentSecurityPolicy.php.

Referenced by getNonce().

◆ $response

WebResponse ContentSecurityPolicy::$response
private

Definition at line 41 of file ContentSecurityPolicy.php.

Referenced by __construct().

◆ FULL_MODE

const ContentSecurityPolicy::FULL_MODE = 2

Definition at line 34 of file ContentSecurityPolicy.php.

◆ REPORT_ONLY_MODE

const ContentSecurityPolicy::REPORT_ONLY_MODE = 1

Definition at line 33 of file ContentSecurityPolicy.php.


The documentation for this class was generated from the following file: