MediaWiki master
Public Member Functions | Static Public Member Functions | Public Attributes | List of all members
MediaWiki\Request\ContentSecurityPolicy Class Reference

Handle sending Content-Security-Policy headers. More...

Public Member Functions

 __construct (WebResponse $response, Config $mwConfig, HookContainer $hookContainer)
 
 addDefaultSrc ( $source)
 If possible you should use a more specific source type then default.
 
 addScriptSrc ( $source)
 So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );.
 
 addStyleSrc ( $source)
 So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );.
 
 getDirectives ()
 Get the CSP directives for the wiki.
 
 getNonce ()
 Get the nonce if nonce is in use.
 
 sendHeaders ()
 Send CSP headers based on wiki config.
 

Static Public Member Functions

static falsePositiveBrowser ( $ua)
 Does this browser give false positive reports?
 
static isNonceRequired (Config $config)
 Should we set nonce attribute.
 

Public Attributes

const FULL_MODE = 2
 
const REPORT_ONLY_MODE = 1
 

Detailed Description

Handle sending Content-Security-Policy headers.

Author
Copyright 2015–2018 Brian Wolff
See also
https://www.w3.org/TR/CSP2/
Since
1.32

Definition at line 37 of file ContentSecurityPolicy.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Request\ContentSecurityPolicy::__construct ( WebResponse $response,
Config $mwConfig,
HookContainer $hookContainer )
Note
As a general rule, you would not construct this class directly but use the instance from OutputPage::getCSP()
Access: internal
Parameters
WebResponse$response
Config$mwConfig
HookContainer$hookContainer
Since
1.35 Method signature changed

Definition at line 65 of file ContentSecurityPolicy.php.

Member Function Documentation

◆ addDefaultSrc()

MediaWiki\Request\ContentSecurityPolicy::addDefaultSrc ( $source)

If possible you should use a more specific source type then default.

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addDefaultSrc( '*.example.com' );

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 563 of file ContentSecurityPolicy.php.

References $source.

◆ addScriptSrc()

MediaWiki\Request\ContentSecurityPolicy::addScriptSrc ( $source)

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );.

Since
1.35
Warning
Be careful including external scripts, as they can take over accounts.
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 588 of file ContentSecurityPolicy.php.

References $source.

◆ addStyleSrc()

MediaWiki\Request\ContentSecurityPolicy::addStyleSrc ( $source)

So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );.

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 575 of file ContentSecurityPolicy.php.

References $source.

◆ falsePositiveBrowser()

static MediaWiki\Request\ContentSecurityPolicy::falsePositiveBrowser ( $ua)
static

Does this browser give false positive reports?

Some versions of firefox (40-42) incorrectly report a CSP violation for nonce sources, despite allowing them.

See also
https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
Parameters
string$uaUser-agent header
Returns
bool

Definition at line 504 of file ContentSecurityPolicy.php.

◆ getDirectives()

MediaWiki\Request\ContentSecurityPolicy::getDirectives ( )

Get the CSP directives for the wiki.

Returns
string[] Array of CSP directives (header name => header value). The array keys will be ContentSecurityPolicy::FULL_MODE and ContentSecurityPolicy::REPORT_ONLY_MODE; they might not be present if the wiki is configured no to use the given type of CSP.
Since
1.42

Definition at line 83 of file ContentSecurityPolicy.php.

References MediaWiki\MainConfigNames\CSPHeader, and MediaWiki\MainConfigNames\CSPReportOnlyHeader.

Referenced by MediaWiki\Request\ContentSecurityPolicy\sendHeaders().

◆ getNonce()

MediaWiki\Request\ContentSecurityPolicy::getNonce ( )

Get the nonce if nonce is in use.

Not currently supported or implemented.

Since
1.35
Returns
false

Definition at line 549 of file ContentSecurityPolicy.php.

◆ isNonceRequired()

static MediaWiki\Request\ContentSecurityPolicy::isNonceRequired ( Config $config)
static

Should we set nonce attribute.

Parameters
Config$config
Returns
bool

Definition at line 514 of file ContentSecurityPolicy.php.

References MediaWiki\MainConfigNames\CSPHeader, MediaWiki\MainConfigNames\CSPReportOnlyHeader, and MediaWiki\Config\Config\get().

◆ sendHeaders()

MediaWiki\Request\ContentSecurityPolicy::sendHeaders ( )

Send CSP headers based on wiki config.

Main method that callers (OutputPage) are expected to use. As a general rule, you would never call this in an extension unless you have disabled OutputPage and are fully controlling the output.

Since
1.35

Definition at line 105 of file ContentSecurityPolicy.php.

References MediaWiki\Request\ContentSecurityPolicy\getDirectives().

Member Data Documentation

◆ FULL_MODE

const MediaWiki\Request\ContentSecurityPolicy::FULL_MODE = 2

Definition at line 39 of file ContentSecurityPolicy.php.

◆ REPORT_ONLY_MODE

const MediaWiki\Request\ContentSecurityPolicy::REPORT_ONLY_MODE = 1

Definition at line 38 of file ContentSecurityPolicy.php.

The documentation for this class was generated from the following file: