CSPBuilder
in package
Class CSPBuilder from https://github.com/paragonie/csp-builder/blob/master/src/CSPBuilder.php made compatible with PHP 5.6
HumHub Patches:
- PHP 5.6 compatibility
- Removed report-to since it borke reporting
- Added rtrim to compile to remove tailing ;
- Added report-sample support
Table of Contents
Constants
- FORMAT_APACHE = 'apache'
- FORMAT_NGINX = 'nginx'
Properties
- $httpsTransformOnHttpsConnections : bool
- $supportOldBrowsers : bool
- $compiled : string
- $directives : array<string|int, string>
- $needsCompile : bool
- $policies : array<string|int, mixed>
- $reportOnly : bool
- $requireSRIFor : array<int, string>
Methods
- __construct() : mixed
- addDirective() : self
- Add a directive if it doesn't already exist
- addSource() : self
- Add a source to our allow white-list
- allowPluginType() : self
- Add a plugin type to be added
- compile() : string
- Compile the current policies into a CSP header
- disableHttpsTransformOnHttpsConnections() : self
- Disable that HTTP sources get converted to HTTPS if the connection is such.
- disableOldBrowserSupport() : self
- Disable old browser support (e.g. Safari)
- enableHttpsTransformOnHttpsConnections() : self
- Enable that HTTP sources get converted to HTTPS if the connection is such.
- enableOldBrowserSupport() : self
- Enable old browser support (e.g. Safari)
- fromArray() : self
- This just passes the array to the constructor, but hopefully will save someone in a hurry from a moment of frustration.
- fromData() : self
- Factory method - create a new CSPBuilder object from a JSON data
- fromFile() : self
- Factory method - create a new CSPBuilder object from a JSON file
- getCompiledHeader() : string
- Get the formatted CSP header
- getHeaderArray() : array<string, string>
- Get an associative array of headers to return.
- getRequireHeaders() : array<int, array{0: string, 1: string}>
- hash() : self
- Add a new hash to the existing CSP
- injectCSPHeader() : MessageInterface
- PSR-7 header injection.
- nonce() : string
- Add a new nonce to the existing CSP. Returns the nonce generated.
- preHash() : self
- Add a new (pre-calculated) base64-encoded hash to the existing CSP
- requireSRIFor() : self
- saveSnippet() : bool
- Save CSP to a snippet file
- sendCSPHeader() : bool
- Send the compiled CSP as a header()
- setAllowUnsafeEval() : self
- Allow/disallow unsafe-eval within a given directive.
- setAllowUnsafeInline() : self
- Allow/disallow unsafe-inline within a given directive.
- setBlobAllowed() : self
- Allow/disallow blob: URIs for a given directive
- setDataAllowed() : self
- Allow/disallow data: URIs for a given directive
- setDirective() : self
- Set a directive.
- setFileSystemAllowed() : self
- Allow/disallow filesystem: URIs for a given directive
- setMediaStreamAllowed() : self
- Allow/disallow mediastream: URIs for a given directive
- setReportUri() : self
- Set the Report URI to the desired string. This also sets the 'report-to' component of the CSP header for CSP Level 3 compatibility.
- setSelfAllowed() : self
- Allow/disallow self URIs for a given directive
- setStrictDynamic() : self
- Set strict-dynamic for a given directive.
- setUnsafeEvalAllowed() : self
- setUnsafeInlineAllowed() : self
- compileSubgroup() : string
- Compile a subgroup into a policy string
- getHeaderKeys() : array<string|int, mixed>
- Get an array of header keys to return
- isHTTPSConnection() : bool
- Is this user currently connected over HTTPS?
Constants
FORMAT_APACHE
public
mixed
FORMAT_APACHE
= 'apache'
FORMAT_NGINX
public
mixed
FORMAT_NGINX
= 'nginx'
Properties
$httpsTransformOnHttpsConnections
protected
bool
$httpsTransformOnHttpsConnections
= true
$supportOldBrowsers
protected
bool
$supportOldBrowsers
= true
$compiled
private
string
$compiled
= ''
$directives
private
static array<string|int, string>
$directives
= ['base-uri', 'default-src', 'child-src', 'connect-src', 'font-src', 'form-action', 'frame-ancestors', 'frame-src', 'img-src', 'media-src', 'object-src', 'plugin-types', 'manifest-src', 'script-src', 'style-src', 'worker-src']
$needsCompile
private
bool
$needsCompile
= true
$policies
private
array<string|int, mixed>
$policies
= []
$reportOnly
private
bool
$reportOnly
= false
$requireSRIFor
private
array<int, string>
$requireSRIFor
= []
Methods
__construct()
public
__construct([array<string|int, mixed> $policy = [] ]) : mixed
Parameters
- $policy : array<string|int, mixed> = []
addDirective()
Add a directive if it doesn't already exist
public
addDirective(string $key[, mixed $value = null ]) : self
If it already exists, do nothing
Parameters
- $key : string
- $value : mixed = null
Return values
selfaddSource()
Add a source to our allow white-list
public
addSource(string $directive, string $path) : self
Parameters
- $directive : string
- $path : string
Return values
selfallowPluginType()
Add a plugin type to be added
public
allowPluginType([string $mime = 'text/plain' ]) : self
Parameters
- $mime : string = 'text/plain'
Return values
selfcompile()
Compile the current policies into a CSP header
public
compile() : string
Tags
Return values
stringdisableHttpsTransformOnHttpsConnections()
Disable that HTTP sources get converted to HTTPS if the connection is such.
public
disableHttpsTransformOnHttpsConnections() : self
Return values
selfdisableOldBrowserSupport()
Disable old browser support (e.g. Safari)
public
disableOldBrowserSupport() : self
Return values
selfenableHttpsTransformOnHttpsConnections()
Enable that HTTP sources get converted to HTTPS if the connection is such.
public
enableHttpsTransformOnHttpsConnections() : self
This is enabled by default
Return values
selfenableOldBrowserSupport()
Enable old browser support (e.g. Safari)
public
enableOldBrowserSupport() : self
This is enabled by default
Return values
selffromArray()
This just passes the array to the constructor, but hopefully will save someone in a hurry from a moment of frustration.
public
static fromArray([array<string|int, mixed> $array = [] ]) : self
Parameters
- $array : array<string|int, mixed> = []
Return values
selffromData()
Factory method - create a new CSPBuilder object from a JSON data
public
static fromData([string $data = '' ]) : self
Parameters
- $data : string = ''
Tags
Return values
selffromFile()
Factory method - create a new CSPBuilder object from a JSON file
public
static fromFile([string $filename = '' ]) : self
Parameters
- $filename : string = ''
Tags
Return values
selfgetCompiledHeader()
Get the formatted CSP header
public
getCompiledHeader() : string
Return values
stringgetHeaderArray()
Get an associative array of headers to return.
public
getHeaderArray([bool $legacy = true ]) : array<string, string>
Parameters
- $legacy : bool = true
Return values
array<string, string>getRequireHeaders()
public
getRequireHeaders() : array<int, array{0: string, 1: string}>
Return values
array<int, array{0: string, 1: string}>hash()
Add a new hash to the existing CSP
public
hash([string $directive = 'script-src' ][, string $script = '' ][, string $algorithm = 'sha384' ]) : self
Parameters
- $directive : string = 'script-src'
- $script : string = ''
- $algorithm : string = 'sha384'
Return values
selfinjectCSPHeader()
PSR-7 header injection.
public
injectCSPHeader(MessageInterface $message[, bool $legacy = false ]) : MessageInterface
This will inject the header into your PSR-7 object. (Request, Response, etc.) This method returns an instance of whatever you passed, so long as it implements MessageInterface.
Parameters
- $message : MessageInterface
- $legacy : bool = false
Return values
MessageInterfacenonce()
Add a new nonce to the existing CSP. Returns the nonce generated.
public
nonce([string $directive = 'script-src' ][, string $nonce = '' ]) : string
Parameters
- $directive : string = 'script-src'
- $nonce : string = ''
-
(if empty, it will be generated)
Tags
Return values
stringpreHash()
Add a new (pre-calculated) base64-encoded hash to the existing CSP
public
preHash([string $directive = 'script-src' ][, string $hash = '' ][, string $algorithm = 'sha384' ]) : self
Parameters
- $directive : string = 'script-src'
- $hash : string = ''
- $algorithm : string = 'sha384'
Return values
selfrequireSRIFor()
public
requireSRIFor(string $directive) : self
Parameters
- $directive : string
Return values
selfsaveSnippet()
Save CSP to a snippet file
public
saveSnippet(string $outputFile[, string $format = self::FORMAT_NGINX ]) : bool
Parameters
- $outputFile : string
-
Output file name
- $format : string = self::FORMAT_NGINX
-
Which format are we saving in?
Tags
Return values
boolsendCSPHeader()
Send the compiled CSP as a header()
public
sendCSPHeader([bool $legacy = true ]) : bool
Parameters
- $legacy : bool = true
-
Send legacy headers?
Tags
Return values
boolsetAllowUnsafeEval()
Allow/disallow unsafe-eval within a given directive.
public
setAllowUnsafeEval([string $directive = '' ][, bool $allow = false ]) : self
Parameters
- $directive : string = ''
- $allow : bool = false
Tags
Return values
selfsetAllowUnsafeInline()
Allow/disallow unsafe-inline within a given directive.
public
setAllowUnsafeInline([string $directive = '' ][, bool $allow = false ]) : self
Parameters
- $directive : string = ''
- $allow : bool = false
Tags
Return values
selfsetBlobAllowed()
Allow/disallow blob: URIs for a given directive
public
setBlobAllowed([string $directive = '' ][, bool $allow = false ]) : self
Parameters
- $directive : string = ''
- $allow : bool = false
Tags
Return values
selfsetDataAllowed()
Allow/disallow data: URIs for a given directive
public
setDataAllowed([string $directive = '' ][, bool $allow = false ]) : self
Parameters
- $directive : string = ''
- $allow : bool = false
Tags
Return values
selfsetDirective()
Set a directive.
public
setDirective(string $key[, mixed $value = [] ]) : self
This lets you overwrite a complex directive entirely (e.g. script-src) or set a top-level directive (e.g. report-uri).
Parameters
- $key : string
- $value : mixed = []
Return values
selfsetFileSystemAllowed()
Allow/disallow filesystem: URIs for a given directive
public
setFileSystemAllowed([string $directive = '' ][, bool $allow = false ]) : self
Parameters
- $directive : string = ''
- $allow : bool = false
Tags
Return values
selfsetMediaStreamAllowed()
Allow/disallow mediastream: URIs for a given directive
public
setMediaStreamAllowed([string $directive = '' ][, bool $allow = false ]) : self
Parameters
- $directive : string = ''
- $allow : bool = false
Tags
Return values
selfsetReportUri()
Set the Report URI to the desired string. This also sets the 'report-to' component of the CSP header for CSP Level 3 compatibility.
public
setReportUri([string $url = '' ]) : self
Parameters
- $url : string = ''
Return values
selfsetSelfAllowed()
Allow/disallow self URIs for a given directive
public
setSelfAllowed([string $directive = '' ][, bool $allow = false ]) : self
Parameters
- $directive : string = ''
- $allow : bool = false
Tags
Return values
selfsetStrictDynamic()
Set strict-dynamic for a given directive.
public
setStrictDynamic([string $directive = '' ][, bool $allow = false ]) : self
Parameters
- $directive : string = ''
- $allow : bool = false
Tags
Return values
selfsetUnsafeEvalAllowed()
public
setUnsafeEvalAllowed([string $directive = '' ][, bool $allow = false ]) : self
Parameters
- $directive : string = ''
- $allow : bool = false
Tags
Return values
selfsetUnsafeInlineAllowed()
public
setUnsafeInlineAllowed([string $directive = '' ][, bool $allow = false ]) : self
Parameters
- $directive : string = ''
- $allow : bool = false
Tags
Return values
selfcompileSubgroup()
Compile a subgroup into a policy string
protected
compileSubgroup(string $directive[, mixed $policies = [] ]) : string
Parameters
- $directive : string
- $policies : mixed = []
Return values
stringgetHeaderKeys()
Get an array of header keys to return
protected
getHeaderKeys([bool $legacy = true ]) : array<string|int, mixed>
Parameters
- $legacy : bool = true
Return values
array<string|int, mixed>isHTTPSConnection()
Is this user currently connected over HTTPS?
protected
isHTTPSConnection() : bool