ContentSecurityPolicy
in package
Provides tools for working with the Content-Security-Policy header to help defeat XSS attacks.
Tags
Table of Contents
- $baseURI : array<string|int, mixed>|string
- Used for security enforcement
- $childSrc : array<string|int, mixed>|string
- Used for security enforcement
- $connectSrc : array<string|int, mixed>
- Used for security enforcement
- $defaultSrc : array<string|int, mixed>|string
- Used for security enforcement
- $fontSrc : array<string|int, mixed>|string
- Used for security enforcement
- $formAction : array<string|int, mixed>|string
- Used for security enforcement
- $frameAncestors : array<string|int, mixed>|string
- Used for security enforcement
- $frameSrc : array<string|int, mixed>|string
- Used for security enforcement
- $imageSrc : array<string|int, mixed>|string
- Used for security enforcement
- $manifestSrc : array<string|int, mixed>|string
- Used for security enforcement
- $mediaSrc : array<string|int, mixed>|string
- Used for security enforcement
- $nonces : array<string|int, mixed>
- Used for security enforcement
- $objectSrc : array<string|int, mixed>|string
- Used for security enforcement
- $pluginTypes : array<string|int, mixed>|string
- Used for security enforcement
- $reportOnly : bool
- Used for security enforcement
- $reportOnlyHeaders : array<string|int, mixed>
- An array of header info to build that should only be reported.
- $reportURI : string
- Used for security enforcement
- $sandbox : array<string|int, mixed>|string
- Used for security enforcement
- $scriptSrc : array<string|int, mixed>|string
- Used for security enforcement
- $styleSrc : array<string|int, mixed>|string
- Used for security enforcement
- $tempHeaders : array<string|int, mixed>
- An array of header info since we have to build ourself before passing to Response.
- $upgradeInsecureRequests : bool
- Used for security enforcement
- $validSources : array<string|int, mixed>
- Used for security enforcement
- __construct() : mixed
- Constructor.
- addBaseURI() : $this
- Adds a new base_uri value. Can be either a URI class or a simple string.
- addChildSrc() : $this
- Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
- addConnectSrc() : $this
- Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
- addFontSrc() : $this
- Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
- addFormAction() : $this
- Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
- addFrameAncestor() : $this
- Adds a new resource that should allow embedding the resource using <frame>, <iframe>, <object>, <embed>, or <applet>
- addFrameSrc() : $this
- Adds a new valid endpoint for valid frame sources. Can be either a URI class or a simple string.
- addImageSrc() : $this
- Adds a new valid endpoint for valid image sources. Can be either a URI class or a simple string.
- addManifestSrc() : $this
- Adds a new valid endpoint for manifest sources. Can be either a URI class or simple string.
- addMediaSrc() : $this
- Adds a new valid endpoint for valid video and audio. Can be either a URI class or a simple string.
- addObjectSrc() : $this
- Adds a new valid endpoint for Flash and other plugin sources. Can be either a URI class or a simple string.
- addPluginType() : $this
- Limits the types of plugins that can be used. Can be either a URI class or a simple string.
- addSandbox() : $this
- specifies an HTML sandbox policy that the user agent applies to the protected resource.
- addScriptSrc() : $this
- Adds a new valid endpoint for javascript file sources. Can be either a URI class or a simple string.
- addStyleSrc() : $this
- Adds a new valid endpoint for CSS file sources. Can be either a URI class or a simple string.
- finalize() : void
- Compiles and sets the appropriate headers in the request.
- reportOnly() : $this
- If TRUE, nothing will be restricted. Instead all violations will be reported to the reportURI for monitoring. This is useful when you are just starting to implement the policy, and will help determine what errors need to be addressed before you turn on all filtering.
- setDefaultSrc() : $this
- Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
- setReportURI() : $this
- Specifies a URL where a browser will send reports when a content security policy is violated. Can be either a URI class or a simple string.
- upgradeInsecureRequests() : $this
- Sets whether the user agents should rewrite URL schemes, changing HTTP to HTTPS.
- addOption() : void
- DRY method to add an string or array to a class property.
- addToHeader() : void
- Adds a directive and it's options to the appropriate header. The $values array might have options that are geared toward either the regular or the reportOnly header, since it's viable to have both simultaneously.
- buildHeaders() : void
- Based on the current state of the elements, will add the appropriate Content-Security-Policy and Content-Security-Policy-Report-Only headers with their values to the response object.
- generateNonces() : void
- Scans the body of the request message and replaces any nonce placeholders with actual nonces, that we'll then add to our headers.
Properties
$baseURI
Used for security enforcement
protected
array<string|int, mixed>|string
$baseURI
= []
$childSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$childSrc
= []
$connectSrc
Used for security enforcement
protected
array<string|int, mixed>
$connectSrc
= []
$defaultSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$defaultSrc
= []
$fontSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$fontSrc
= []
$formAction
Used for security enforcement
protected
array<string|int, mixed>|string
$formAction
= []
$frameAncestors
Used for security enforcement
protected
array<string|int, mixed>|string
$frameAncestors
= []
$frameSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$frameSrc
= []
$imageSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$imageSrc
= []
$manifestSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$manifestSrc
= []
$mediaSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$mediaSrc
= []
$nonces
Used for security enforcement
protected
array<string|int, mixed>
$nonces
= []
$objectSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$objectSrc
= []
$pluginTypes
Used for security enforcement
protected
array<string|int, mixed>|string
$pluginTypes
= []
$reportOnly
Used for security enforcement
protected
bool
$reportOnly
= false
$reportOnlyHeaders
An array of header info to build that should only be reported.
protected
array<string|int, mixed>
$reportOnlyHeaders
= []
$reportURI
Used for security enforcement
protected
string
$reportURI
$sandbox
Used for security enforcement
protected
array<string|int, mixed>|string
$sandbox
= []
$scriptSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$scriptSrc
= []
$styleSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$styleSrc
= []
$tempHeaders
An array of header info since we have to build ourself before passing to Response.
protected
array<string|int, mixed>
$tempHeaders
= []
$upgradeInsecureRequests
Used for security enforcement
protected
bool
$upgradeInsecureRequests
= false
$validSources
Used for security enforcement
protected
array<string|int, mixed>
$validSources
= ['self', 'none', 'unsafe-inline', 'unsafe-eval']
Methods
__construct()
Constructor.
public
__construct(ContentSecurityPolicy $config) : mixed
Stores our default values from the Config file.
Parameters
- $config : ContentSecurityPolicy
Return values
mixed —addBaseURI()
Adds a new base_uri value. Can be either a URI class or a simple string.
public
addBaseURI(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
base_uri restricts the URLs that can appear in a page’s
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addChildSrc()
Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
public
addChildSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins.
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addConnectSrc()
Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
public
addConnectSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
connect-src limits the origins to which you can connect (via XHR, WebSockets, and EventSource).
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addFontSrc()
Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
public
addFontSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
font-src specifies the origins that can serve web fonts.
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addFormAction()
Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
public
addFormAction(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addFrameAncestor()
Adds a new resource that should allow embedding the resource using <frame>, <iframe>, <object>, <embed>, or <applet>
public
addFrameAncestor(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addFrameSrc()
Adds a new valid endpoint for valid frame sources. Can be either a URI class or a simple string.
public
addFrameSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addImageSrc()
Adds a new valid endpoint for valid image sources. Can be either a URI class or a simple string.
public
addImageSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addManifestSrc()
Adds a new valid endpoint for manifest sources. Can be either a URI class or simple string.
public
addManifestSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addMediaSrc()
Adds a new valid endpoint for valid video and audio. Can be either a URI class or a simple string.
public
addMediaSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addObjectSrc()
Adds a new valid endpoint for Flash and other plugin sources. Can be either a URI class or a simple string.
public
addObjectSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addPluginType()
Limits the types of plugins that can be used. Can be either a URI class or a simple string.
public
addPluginType(string|array<string|int, mixed> $mime[, bool|null $explicitReporting = null ]) : $this
Parameters
- $mime : string|array<string|int, mixed>
-
One or more plugin mime types, separate by spaces
- $explicitReporting : bool|null = null
Tags
Return values
$this —addSandbox()
specifies an HTML sandbox policy that the user agent applies to the protected resource.
public
addSandbox(string|array<string|int, mixed> $flags[, bool|null $explicitReporting = null ]) : $this
Parameters
- $flags : string|array<string|int, mixed>
-
An array of sandbox flags that can be added to the directive.
- $explicitReporting : bool|null = null
Tags
Return values
$this —addScriptSrc()
Adds a new valid endpoint for javascript file sources. Can be either a URI class or a simple string.
public
addScriptSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —addStyleSrc()
Adds a new valid endpoint for CSS file sources. Can be either a URI class or a simple string.
public
addStyleSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —finalize()
Compiles and sets the appropriate headers in the request.
public
finalize(ResponseInterface &$response) : void
Should be called just prior to sending the response to the user agent.
Parameters
- $response : ResponseInterface
Return values
void —reportOnly()
If TRUE, nothing will be restricted. Instead all violations will be reported to the reportURI for monitoring. This is useful when you are just starting to implement the policy, and will help determine what errors need to be addressed before you turn on all filtering.
public
reportOnly([bool $value = true ]) : $this
Parameters
- $value : bool = true
Return values
$this —setDefaultSrc()
Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
public
setDefaultSrc(string|array<string|int, mixed> $uri[, bool|null $explicitReporting = null ]) : $this
default_src is the URI that is used for many of the settings when no other source has been set.
Parameters
- $uri : string|array<string|int, mixed>
- $explicitReporting : bool|null = null
Tags
Return values
$this —setReportURI()
Specifies a URL where a browser will send reports when a content security policy is violated. Can be either a URI class or a simple string.
public
setReportURI(string $uri) : $this
Parameters
- $uri : string
Tags
Return values
$this —upgradeInsecureRequests()
Sets whether the user agents should rewrite URL schemes, changing HTTP to HTTPS.
public
upgradeInsecureRequests([bool $value = true ]) : $this
Parameters
- $value : bool = true
Return values
$this —addOption()
DRY method to add an string or array to a class property.
protected
addOption(string|array<string|int, mixed> $options, string $target[, bool|null $explicitReporting = null ]) : void
Parameters
- $options : string|array<string|int, mixed>
- $target : string
- $explicitReporting : bool|null = null
Return values
void —addToHeader()
Adds a directive and it's options to the appropriate header. The $values array might have options that are geared toward either the regular or the reportOnly header, since it's viable to have both simultaneously.
protected
addToHeader(string $name[, array<string|int, mixed>|string|null $values = null ]) : void
Parameters
- $name : string
- $values : array<string|int, mixed>|string|null = null
Return values
void —buildHeaders()
Based on the current state of the elements, will add the appropriate Content-Security-Policy and Content-Security-Policy-Report-Only headers with their values to the response object.
protected
buildHeaders(ResponseInterface &$response) : void
Parameters
- $response : ResponseInterface
Return values
void —generateNonces()
Scans the body of the request message and replaces any nonce placeholders with actual nonces, that we'll then add to our headers.
protected
generateNonces(ResponseInterface &$response) : void
Parameters
- $response : ResponseInterface