ContentSecurityPolicy
extends BaseConfig
in package
Stores the default settings for the ContentSecurityPolicy, if you choose to use it. The values here will be read in and set as defaults for the site. If needed, they can be overridden on a page-by-page basis.
Suggested reference for explanations:
Tags
Table of Contents
- $baseURI : string|array<string|int, string>|null
- Restricts the URLs that can appear in a page's `<base>` element.
- $childSrc : string|array<string|int, string>
- Lists the URLs for workers and embedded frame contents
- $connectSrc : string|array<string|int, string>
- Limits the origins that you can connect to (via XHR, WebSockets, and EventSource).
- $defaultSrc : string|array<string|int, string>|null
- Will default to self if not overridden
- $fontSrc : string|array<string|int, string>
- Specifies the origins that can serve web fonts.
- $formAction : string|array<string|int, string>
- Lists valid endpoints for submission from `<form>` tags.
- $frameAncestors : string|array<string|int, string>|null
- Specifies the sources that can embed the current page.
- $frameSrc : array<string|int, mixed>|string|null
- The frame-src directive restricts the URLs which may be loaded into nested browsing contexts.
- $imageSrc : string|array<string|int, string>
- Defines the origins from which images can be loaded.
- $manifestSrc : string|array<string|int, string>|null
- $mediaSrc : string|array<string|int, string>|null
- Restricts the origins allowed to deliver video and audio.
- $objectSrc : string|array<string|int, string>
- Allows control over Flash and other plugins.
- $pluginTypes : string|array<string|int, string>|null
- Limits the kinds of plugins a page may invoke.
- $registrars : array<string|int, mixed>
- An optional array of classes that will act as Registrars for rapidly setting config class properties.
- $reportOnly : bool
- Default CSP report context
- $reportURI : string|null
- Specifies a URL where a browser will send reports when a content security policy is violated.
- $sandbox : string|array<string|int, string>|null
- List of actions allowed.
- $scriptSrc : string|array<string|int, string>
- Lists allowed scripts' URLs.
- $styleSrc : string|array<string|int, string>
- Lists allowed stylesheets' URLs.
- $upgradeInsecureRequests : bool
- Instructs user agents to rewrite URL schemes, changing HTTP to HTTPS. This directive is for websites with large numbers of old URLs that need to be rewritten.
- $didDiscovery : bool
- Has module discovery happened yet?
- $moduleConfig : Modules
- The modules configuration.
- __construct() : mixed
- Will attempt to get environment variables with names that match the properties of the child class.
- getEnvValue() : mixed
- Retrieve an environment-specific configuration setting
- initEnvValue() : mixed
- Initialization an environment-specific configuration setting
- registerProperties() : mixed
- Provides external libraries a simple way to register one or more options into a config file.
Properties
$baseURI
Restricts the URLs that can appear in a page's `<base>` element.
public
string|array<string|int, string>|null
$baseURI
= null
Will default to self if not overridden
$childSrc
Lists the URLs for workers and embedded frame contents
public
string|array<string|int, string>
$childSrc
= 'self'
$connectSrc
Limits the origins that you can connect to (via XHR, WebSockets, and EventSource).
public
string|array<string|int, string>
$connectSrc
= 'self'
$defaultSrc
Will default to self if not overridden
public
string|array<string|int, string>|null
$defaultSrc
= null
$fontSrc
Specifies the origins that can serve web fonts.
public
string|array<string|int, string>
$fontSrc
= null
$formAction
Lists valid endpoints for submission from `<form>` tags.
public
string|array<string|int, string>
$formAction
= 'self'
$frameAncestors
Specifies the sources that can embed the current page.
public
string|array<string|int, string>|null
$frameAncestors
= null
This directive applies to <frame>, <iframe>, <embed>,
and <applet> tags. This directive can't be used in
<meta> tags and applies only to non-HTML resources.
$frameSrc
The frame-src directive restricts the URLs which may be loaded into nested browsing contexts.
public
array<string|int, mixed>|string|null
$frameSrc
= null
$imageSrc
Defines the origins from which images can be loaded.
public
string|array<string|int, string>
$imageSrc
= 'self'
$manifestSrc
public
string|array<string|int, string>|null
$manifestSrc
= null
$mediaSrc
Restricts the origins allowed to deliver video and audio.
public
string|array<string|int, string>|null
$mediaSrc
= null
$objectSrc
Allows control over Flash and other plugins.
public
string|array<string|int, string>
$objectSrc
= 'self'
$pluginTypes
Limits the kinds of plugins a page may invoke.
public
string|array<string|int, string>|null
$pluginTypes
= null
$registrars
An optional array of classes that will act as Registrars for rapidly setting config class properties.
public
static array<string|int, mixed>
$registrars
= []
$reportOnly
Default CSP report context
public
bool
$reportOnly
= false
$reportURI
Specifies a URL where a browser will send reports when a content security policy is violated.
public
string|null
$reportURI
= null
$sandbox
List of actions allowed.
public
string|array<string|int, string>|null
$sandbox
= null
$scriptSrc
Lists allowed scripts' URLs.
public
string|array<string|int, string>
$scriptSrc
= 'self'
$styleSrc
Lists allowed stylesheets' URLs.
public
string|array<string|int, string>
$styleSrc
= 'self'
$upgradeInsecureRequests
Instructs user agents to rewrite URL schemes, changing HTTP to HTTPS. This directive is for websites with large numbers of old URLs that need to be rewritten.
public
bool
$upgradeInsecureRequests
= false
$didDiscovery
Has module discovery happened yet?
protected
static bool
$didDiscovery
= false
$moduleConfig
The modules configuration.
protected
static Modules
$moduleConfig
Methods
__construct()
Will attempt to get environment variables with names that match the properties of the child class.
public
__construct() : mixed
The "shortPrefix" is the lowercase-only config class name.
Return values
mixed —getEnvValue()
Retrieve an environment-specific configuration setting
protected
getEnvValue(string $property, string $prefix, string $shortPrefix) : mixed
Parameters
- $property : string
- $prefix : string
- $shortPrefix : string
Return values
mixed —initEnvValue()
Initialization an environment-specific configuration setting
protected
initEnvValue(mixed &$property, string $name, string $prefix, string $shortPrefix) : mixed
Parameters
- $property : mixed
- $name : string
- $prefix : string
- $shortPrefix : string
Return values
mixed —registerProperties()
Provides external libraries a simple way to register one or more options into a config file.
protected
registerProperties() : mixed