MediaWiki  master
ContentSecurityPolicy Class Reference

Public Member Functions

 __construct (WebResponse $response, Config $mwConfig, HookContainer $hookContainer)
 
 addDefaultSrc ( $source)
 If possible you should use a more specific source type then default. More...
 
 addScriptSrc ( $source)
 So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );. More...
 
 addStyleSrc ( $source)
 So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );. More...
 
 getNonce ()
 Get the nonce if nonce is in use. More...
 
 sendCSPHeader ( $csp, $reportOnly)
 Send a single CSP header based on a given policy config. More...
 
 sendHeaders ()
 Send CSP headers based on wiki config. More...
 

Static Public Member Functions

static falsePositiveBrowser ( $ua)
 Does this browser give false positive reports? More...
 
static isNonceRequired (Config $config)
 Should we set nonce attribute. More...
 

Public Attributes

const FULL_MODE = 2
 
const REPORT_ONLY_MODE = 1
 

Detailed Description

Definition at line 33 of file ContentSecurityPolicy.php.

Constructor & Destructor Documentation

◆ __construct()

ContentSecurityPolicy::__construct ( WebResponse  $response,
Config  $mwConfig,
HookContainer  $hookContainer 
)
Note
As a general rule, you would not construct this class directly but use the instance from OutputPage::getCSP()
Access: internal
Parameters
WebResponse$response
Config$mwConfig
HookContainer$hookContainer
Since
1.35 Method signature changed

Definition at line 63 of file ContentSecurityPolicy.php.

Member Function Documentation

◆ addDefaultSrc()

ContentSecurityPolicy::addDefaultSrc (   $source)

If possible you should use a more specific source type then default.

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addDefaultSrc( '*.example.com' );

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 569 of file ContentSecurityPolicy.php.

References $source.

◆ addScriptSrc()

ContentSecurityPolicy::addScriptSrc (   $source)

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );.

Since
1.35
Warning
Be careful including external scripts, as they can take over accounts.
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 594 of file ContentSecurityPolicy.php.

References $source.

◆ addStyleSrc()

ContentSecurityPolicy::addStyleSrc (   $source)

So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );.

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 581 of file ContentSecurityPolicy.php.

References $source.

◆ falsePositiveBrowser()

static ContentSecurityPolicy::falsePositiveBrowser (   $ua)
static

Does this browser give false positive reports?

Some versions of firefox (40-42) incorrectly report a csp violation for nonce sources, despite allowing them.

See also
https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
Parameters
string$uaUser-agent header
Returns
bool

Definition at line 501 of file ContentSecurityPolicy.php.

◆ getNonce()

ContentSecurityPolicy::getNonce ( )

Get the nonce if nonce is in use.

Since
1.35
Returns
bool|string A random (base64) string or false if not used.

Definition at line 547 of file ContentSecurityPolicy.php.

◆ isNonceRequired()

static ContentSecurityPolicy::isNonceRequired ( Config  $config)
static

Should we set nonce attribute.

Parameters
Config$config
Returns
bool

Definition at line 511 of file ContentSecurityPolicy.php.

References Config\get().

Referenced by Html\inlineScript(), and Html\linkedScript().

◆ sendCSPHeader()

ContentSecurityPolicy::sendCSPHeader (   $csp,
  $reportOnly 
)

Send a single CSP header based on a given policy config.

Note
Most callers will probably want ContentSecurityPolicy::sendHeaders() instead.
Access: internal
Parameters
array | bool$cspContentSecurityPolicy configuration
int$reportOnlyself::*_MODE constant

Definition at line 79 of file ContentSecurityPolicy.php.

Referenced by sendHeaders().

◆ sendHeaders()

ContentSecurityPolicy::sendHeaders ( )

Send CSP headers based on wiki config.

Main method that callers (OutputPage) are expected to use. As a general rule, you would never call this in an extension unless you have disabled OutputPage and are fully controlling the output.

Since
1.35

Definition at line 98 of file ContentSecurityPolicy.php.

References sendCSPHeader().

Member Data Documentation

◆ FULL_MODE

const ContentSecurityPolicy::FULL_MODE = 2

Definition at line 35 of file ContentSecurityPolicy.php.

◆ REPORT_ONLY_MODE

const ContentSecurityPolicy::REPORT_ONLY_MODE = 1

Definition at line 34 of file ContentSecurityPolicy.php.


The documentation for this class was generated from the following file: