MediaWiki  master
Public Member Functions | Static Public Member Functions | Public Attributes | List of all members
GuzzleHttp\Psr7\Request\ContentSecurityPolicy Class Reference

Handle sending Content-Security-Policy headers. More...

Public Member Functions

 __construct (WebResponse $response, Config $mwConfig, HookContainer $hookContainer)
 
 addDefaultSrc ( $source)
 If possible you should use a more specific source type then default. More...
 
 addScriptSrc ( $source)
 So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );. More...
 
 addStyleSrc ( $source)
 So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );. More...
 
 getNonce ()
 Get the nonce if nonce is in use. More...
 
 sendCSPHeader ( $csp, $reportOnly)
 Send a single CSP header based on a given policy config. More...
 
 sendHeaders ()
 Send CSP headers based on wiki config. More...
 

Static Public Member Functions

static falsePositiveBrowser ( $ua)
 Does this browser give false positive reports? More...
 
static isNonceRequired (Config $config)
 Should we set nonce attribute. More...
 

Public Attributes

const FULL_MODE = 2
 
const REPORT_ONLY_MODE = 1
 

Detailed Description

Handle sending Content-Security-Policy headers.

Author
Copyright 2015–2018 Brian Wolff
See also
https://www.w3.org/TR/CSP2/
Since
1.32

Definition at line 37 of file ContentSecurityPolicy.php.

Constructor & Destructor Documentation

◆ __construct()

GuzzleHttp\Psr7\Request\ContentSecurityPolicy::__construct ( WebResponse  $response,
Config  $mwConfig,
HookContainer  $hookContainer 
)
Note
As a general rule, you would not construct this class directly but use the instance from OutputPage::getCSP()
Access: internal
Parameters
WebResponse$response
Config$mwConfig
HookContainer$hookContainer
Since
1.35 Method signature changed

Definition at line 65 of file ContentSecurityPolicy.php.

Member Function Documentation

◆ addDefaultSrc()

GuzzleHttp\Psr7\Request\ContentSecurityPolicy::addDefaultSrc (   $source)

If possible you should use a more specific source type then default.

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addDefaultSrc( '*.example.com' );

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 562 of file ContentSecurityPolicy.php.

References $source.

◆ addScriptSrc()

GuzzleHttp\Psr7\Request\ContentSecurityPolicy::addScriptSrc (   $source)

So for example, if an extension added a special page that loaded something it might call $this->getOutput()->getCSP()->addScriptSrc( '*.example.com' );.

Since
1.35
Warning
Be careful including external scripts, as they can take over accounts.
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 587 of file ContentSecurityPolicy.php.

References $source.

◆ addStyleSrc()

GuzzleHttp\Psr7\Request\ContentSecurityPolicy::addStyleSrc (   $source)

So for example, if an extension added a special page that loaded external CSS it might call $this->getOutput()->getCSP()->addStyleSrc( '*.example.com' );.

Since
1.35
Parameters
string$sourceSource to add. e.g. blob:, *.example.com, https://example.com, example.com/foo

Definition at line 574 of file ContentSecurityPolicy.php.

References $source.

◆ falsePositiveBrowser()

static GuzzleHttp\Psr7\Request\ContentSecurityPolicy::falsePositiveBrowser (   $ua)
static

Does this browser give false positive reports?

Some versions of firefox (40-42) incorrectly report a CSP violation for nonce sources, despite allowing them.

See also
https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
Parameters
string$uaUser-agent header
Returns
bool

Definition at line 503 of file ContentSecurityPolicy.php.

◆ getNonce()

GuzzleHttp\Psr7\Request\ContentSecurityPolicy::getNonce ( )

Get the nonce if nonce is in use.

Not currently supported or implemented.

Since
1.35
Returns
false

Definition at line 548 of file ContentSecurityPolicy.php.

◆ isNonceRequired()

static GuzzleHttp\Psr7\Request\ContentSecurityPolicy::isNonceRequired ( Config  $config)
static

Should we set nonce attribute.

Parameters
Config$config
Returns
bool

Definition at line 513 of file ContentSecurityPolicy.php.

References MediaWiki\MainConfigNames\CSPHeader, and MediaWiki\MainConfigNames\CSPReportOnlyHeader.

Referenced by MediaWiki\Html\Html\linkedScript().

◆ sendCSPHeader()

GuzzleHttp\Psr7\Request\ContentSecurityPolicy::sendCSPHeader (   $csp,
  $reportOnly 
)

Send a single CSP header based on a given policy config.

Note
Most callers will probably want ContentSecurityPolicy::sendHeaders() instead.
Access: internal
Parameters
array | bool$cspContentSecurityPolicy configuration
int$reportOnlyself::*_MODE constant

Definition at line 83 of file ContentSecurityPolicy.php.

Referenced by GuzzleHttp\Psr7\Request\ContentSecurityPolicy\sendHeaders().

◆ sendHeaders()

GuzzleHttp\Psr7\Request\ContentSecurityPolicy::sendHeaders ( )

Send CSP headers based on wiki config.

Main method that callers (OutputPage) are expected to use. As a general rule, you would never call this in an extension unless you have disabled OutputPage and are fully controlling the output.

Since
1.35

Definition at line 102 of file ContentSecurityPolicy.php.

References MediaWiki\MainConfigNames\CSPHeader, MediaWiki\MainConfigNames\CSPReportOnlyHeader, and GuzzleHttp\Psr7\Request\ContentSecurityPolicy\sendCSPHeader().

Member Data Documentation

◆ FULL_MODE

const GuzzleHttp\Psr7\Request\ContentSecurityPolicy::FULL_MODE = 2

Definition at line 39 of file ContentSecurityPolicy.php.

◆ REPORT_ONLY_MODE

const GuzzleHttp\Psr7\Request\ContentSecurityPolicy::REPORT_ONLY_MODE = 1

Definition at line 38 of file ContentSecurityPolicy.php.

The documentation for this class was generated from the following file: