MediaWiki master
Public Member Functions | Static Public Member Functions | Public Attributes | List of all members
MediaWiki\Request\ContentSecurityPolicy Class Reference

Handle sending Content-Security-Policy headers. More...

Public Member Functions

 __construct (WebResponse $response, Config $mwConfig, HookContainer $hookContainer)
 
 addDefaultSrc ( $source)
 If possible you should use a more specific source type then default.
 
 addScriptSrc ( $source)
 So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );.
 
 addStyleSrc ( $source)
 So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );.
 
 getDirectives ()
 Get the CSP directives for the wiki.
 
 getNonce ()
 Get the nonce if nonce is in use.
 
 sendHeaders ()
 Send CSP headers based on wiki config.
 

Static Public Member Functions

static falsePositiveBrowser ( $ua)
 Does this browser give false positive reports?
 
static getMediaHeader (string $filename)
 Get the CSP header for a specific file.
 
static isNonceRequired (Config $config)
 Should we set nonce attribute.
 
static sendRestrictiveHeader ()
 Output a very restrictive CSP header to disallow all active content.
 

Public Attributes

const FULL_MODE = 2
 
const REPORT_ONLY_MODE = 1
 

Detailed Description

Handle sending Content-Security-Policy headers.

Author
Copyright 2015–2018 Brian Wolff
See also
https://www.w3.org/TR/CSP2/
Since
1.32

Definition at line 23 of file ContentSecurityPolicy.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Request\ContentSecurityPolicy::__construct ( WebResponse $response,
Config $mwConfig,
HookContainer $hookContainer )
Note
As a general rule, you would not construct this class directly but use the instance from OutputPage::getCSP()
Access: internal
Parameters
WebResponse$response
Config$mwConfig
HookContainer$hookContainer
Since
1.35 Method signature changed

Definition at line 57 of file ContentSecurityPolicy.php.

Member Function Documentation

◆ addDefaultSrc()

MediaWiki\Request\ContentSecurityPolicy::addDefaultSrc ( $source)

If possible you should use a more specific source type then default.

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addDefaultSrc( '*.example.com' );

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 552 of file ContentSecurityPolicy.php.

References $source.

◆ addScriptSrc()

MediaWiki\Request\ContentSecurityPolicy::addScriptSrc ( $source)

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );.

Since
1.35
Warning
Be careful including external scripts, as they can take over accounts.
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 577 of file ContentSecurityPolicy.php.

References $source.

◆ addStyleSrc()

MediaWiki\Request\ContentSecurityPolicy::addStyleSrc ( $source)

So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );.

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 564 of file ContentSecurityPolicy.php.

References $source.

◆ falsePositiveBrowser()

static MediaWiki\Request\ContentSecurityPolicy::falsePositiveBrowser ( $ua)
static

Does this browser give false positive reports?

Some versions of firefox (40-42) incorrectly report a CSP violation for nonce sources, despite allowing them.

See also
https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
Parameters
string$uaUser-agent header
Returns
bool

Definition at line 493 of file ContentSecurityPolicy.php.

◆ getDirectives()

MediaWiki\Request\ContentSecurityPolicy::getDirectives ( )

Get the CSP directives for the wiki.

Returns
string[] Array of CSP directives (header name => header value). The array keys will be ContentSecurityPolicy::FULL_MODE and ContentSecurityPolicy::REPORT_ONLY_MODE; they might not be present if the wiki is configured no to use the given type of CSP.
Since
1.42

Definition at line 75 of file ContentSecurityPolicy.php.

References MediaWiki\MainConfigNames\CSPHeader, and MediaWiki\MainConfigNames\CSPReportOnlyHeader.

Referenced by MediaWiki\Request\ContentSecurityPolicy\sendHeaders().

◆ getMediaHeader()

static MediaWiki\Request\ContentSecurityPolicy::getMediaHeader ( string $filename)
static

Get the CSP header for a specific file.

Note
Only used in img_auth.php & thumb.php. Normal image serving handled by a .htaccess file
Since
1.45
Parameters
string$filename
Returns
string|null CSP header (Without header name prefix)

Definition at line 591 of file ContentSecurityPolicy.php.

References MediaWiki\MainConfigNames\CSPUploadEntryPoint, and MediaWiki\MediaWikiServices\getInstance().

◆ getNonce()

MediaWiki\Request\ContentSecurityPolicy::getNonce ( )

Get the nonce if nonce is in use.

Not currently supported or implemented.

Since
1.35
Returns
false

Definition at line 538 of file ContentSecurityPolicy.php.

◆ isNonceRequired()

static MediaWiki\Request\ContentSecurityPolicy::isNonceRequired ( Config $config)
static

Should we set nonce attribute.

Parameters
Config$config
Returns
bool

Definition at line 503 of file ContentSecurityPolicy.php.

References MediaWiki\MainConfigNames\CSPHeader, MediaWiki\MainConfigNames\CSPReportOnlyHeader, and MediaWiki\Config\Config\get().

◆ sendHeaders()

MediaWiki\Request\ContentSecurityPolicy::sendHeaders ( )

Send CSP headers based on wiki config.

Main method that callers (OutputPage) are expected to use. As a general rule, you would never call this in an extension unless you have disabled OutputPage and are fully controlling the output.

Since
1.35

Definition at line 97 of file ContentSecurityPolicy.php.

References MediaWiki\Request\ContentSecurityPolicy\getDirectives().

◆ sendRestrictiveHeader()

static MediaWiki\Request\ContentSecurityPolicy::sendRestrictiveHeader ( )
static

Output a very restrictive CSP header to disallow all active content.

This is meant for endpoints that don't output normal wiki content and should never have any sort of javascript on them. For example, exceptions if output page cannot be used. In the future this might be used for things that output non-html mime types like api.php, load.php, etc.

Since
1.45

Definition at line 615 of file ContentSecurityPolicy.php.

Member Data Documentation

◆ FULL_MODE

const MediaWiki\Request\ContentSecurityPolicy::FULL_MODE = 2

Definition at line 25 of file ContentSecurityPolicy.php.

◆ REPORT_ONLY_MODE

const MediaWiki\Request\ContentSecurityPolicy::REPORT_ONLY_MODE = 1

Definition at line 24 of file ContentSecurityPolicy.php.

The documentation for this class was generated from the following file: