2020-09-06 00:51:12 +08:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace Config;
|
2015-12-21 15:04:45 -06:00
|
|
|
|
|
|
|
|
use CodeIgniter\Config\BaseConfig;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Stores the default settings for the ContentSecurityPolicy, if you
|
|
|
|
|
* choose to use it. The values here will be read in and set as defaults
|
|
|
|
|
* for the site. If needed, they can be overridden on a page-by-page basis.
|
|
|
|
|
*
|
2018-12-05 22:28:59 -08:00
|
|
|
* Suggested reference for explanations:
|
2020-11-17 01:00:00 +08:00
|
|
|
*
|
|
|
|
|
* @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/
|
2015-12-21 15:04:45 -06:00
|
|
|
*/
|
2016-02-11 22:48:32 -06:00
|
|
|
class ContentSecurityPolicy extends BaseConfig
|
2015-12-21 15:04:45 -06:00
|
|
|
{
|
2021-06-04 22:51:52 +08:00
|
|
|
//-------------------------------------------------------------------------
|
|
|
|
|
// Broadbrush CSP management
|
|
|
|
|
//-------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Default CSP report context
|
|
|
|
|
*
|
2021-06-08 11:46:56 +08:00
|
|
|
* @var bool
|
2021-06-04 22:51:52 +08:00
|
|
|
*/
|
|
|
|
|
public $reportOnly = false;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Specifies a URL where a browser will send reports
|
|
|
|
|
* when a content security policy is violated.
|
|
|
|
|
*
|
|
|
|
|
* @var string|null
|
|
|
|
|
*/
|
2021-07-04 17:00:32 +08:00
|
|
|
public $reportURI;
|
2021-06-04 22:51:52 +08:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Instructs user agents to rewrite URL schemes, changing
|
|
|
|
|
* HTTP to HTTPS. This directive is for websites with
|
|
|
|
|
* large numbers of old URLs that need to be rewritten.
|
|
|
|
|
*
|
2021-06-08 11:46:56 +08:00
|
|
|
* @var bool
|
2021-06-04 22:51:52 +08:00
|
|
|
*/
|
|
|
|
|
public $upgradeInsecureRequests = false;
|
|
|
|
|
|
|
|
|
|
//-------------------------------------------------------------------------
|
|
|
|
|
// Sources allowed
|
|
|
|
|
// Note: once you set a policy to 'none', it cannot be further restricted
|
|
|
|
|
//-------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Will default to self if not overridden
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]|null
|
|
|
|
|
*/
|
2021-07-04 17:00:32 +08:00
|
|
|
public $defaultSrc;
|
2021-06-04 22:51:52 +08:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Lists allowed scripts' URLs.
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]
|
|
|
|
|
*/
|
|
|
|
|
public $scriptSrc = 'self';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Lists allowed stylesheets' URLs.
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]
|
|
|
|
|
*/
|
|
|
|
|
public $styleSrc = 'self';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Defines the origins from which images can be loaded.
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]
|
|
|
|
|
*/
|
|
|
|
|
public $imageSrc = 'self';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Restricts the URLs that can appear in a page's `<base>` element.
|
|
|
|
|
*
|
|
|
|
|
* Will default to self if not overridden
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]|null
|
|
|
|
|
*/
|
2021-07-04 17:00:32 +08:00
|
|
|
public $baseURI;
|
2021-06-04 22:51:52 +08:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Lists the URLs for workers and embedded frame contents
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]
|
|
|
|
|
*/
|
|
|
|
|
public $childSrc = 'self';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Limits the origins that you can connect to (via XHR,
|
|
|
|
|
* WebSockets, and EventSource).
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]
|
|
|
|
|
*/
|
|
|
|
|
public $connectSrc = 'self';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Specifies the origins that can serve web fonts.
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]
|
|
|
|
|
*/
|
2021-07-04 17:00:32 +08:00
|
|
|
public $fontSrc;
|
2021-06-04 22:51:52 +08:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Lists valid endpoints for submission from `<form>` tags.
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]
|
|
|
|
|
*/
|
|
|
|
|
public $formAction = 'self';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Specifies the sources that can embed the current page.
|
|
|
|
|
* This directive applies to `<frame>`, `<iframe>`, `<embed>`,
|
|
|
|
|
* and `<applet>` tags. This directive can't be used in
|
|
|
|
|
* `<meta>` tags and applies only to non-HTML resources.
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]|null
|
|
|
|
|
*/
|
2021-07-04 17:00:32 +08:00
|
|
|
public $frameAncestors;
|
2021-06-04 22:51:52 +08:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The frame-src directive restricts the URLs which may
|
|
|
|
|
* be loaded into nested browsing contexts.
|
|
|
|
|
*
|
|
|
|
|
* @var array|string|null
|
|
|
|
|
*/
|
2021-07-04 17:00:32 +08:00
|
|
|
public $frameSrc;
|
2021-06-04 22:51:52 +08:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Restricts the origins allowed to deliver video and audio.
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]|null
|
|
|
|
|
*/
|
2021-07-04 17:00:32 +08:00
|
|
|
public $mediaSrc;
|
2021-06-04 22:51:52 +08:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Allows control over Flash and other plugins.
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]
|
|
|
|
|
*/
|
|
|
|
|
public $objectSrc = 'self';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @var string|string[]|null
|
|
|
|
|
*/
|
2021-07-04 17:00:32 +08:00
|
|
|
public $manifestSrc;
|
2021-06-04 22:51:52 +08:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Limits the kinds of plugins a page may invoke.
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]|null
|
|
|
|
|
*/
|
2021-07-04 17:00:32 +08:00
|
|
|
public $pluginTypes;
|
2021-06-04 22:51:52 +08:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* List of actions allowed.
|
|
|
|
|
*
|
|
|
|
|
* @var string|string[]|null
|
|
|
|
|
*/
|
2021-07-04 17:00:32 +08:00
|
|
|
public $sandbox;
|
2021-12-31 13:26:08 +09:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Nonce tag for style
|
|
|
|
|
*
|
|
|
|
|
* @var string
|
|
|
|
|
*/
|
|
|
|
|
public $styleNonceTag = '{csp-style-nonce}';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Nonce tag for script
|
|
|
|
|
*
|
|
|
|
|
* @var string
|
|
|
|
|
*/
|
|
|
|
|
public $scriptNonceTag = '{csp-script-nonce}';
|
2021-12-31 14:01:36 +09:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Replace nonce tag automatically
|
|
|
|
|
*
|
|
|
|
|
* @var bool
|
|
|
|
|
*/
|
|
|
|
|
public $autoNonce = true;
|
2015-12-21 15:04:45 -06:00
|
|
|
}
|
