CodeIgniter4/app/Config/ContentSecurityPolicy.php

<?php namespace Config;

use CodeIgniter\Config\BaseConfig;

/**
 * Class ContentSecurityPolicyConfig
 *
 * Stores the default settings for the ContentSecurityPolicy, if you
 * choose to use it. The values here will be read in and set as defaults
 * for the site. If needed, they can be overridden on a page-by-page basis.
 *
 * Suggested reference for explanations:
 *    https://www.html5rocks.com/en/tutorials/security/content-security-policy/
 *
 * @package Config
 */
class ContentSecurityPolicy extends BaseConfig
{
	// broadbrush CSP management

	public $reportOnly              = false; // default CSP report context
	public $reportURI               = null; // URL to send violation reports to
	public $upgradeInsecureRequests = false; // toggle for forcing https

	// sources allowed; string or array of strings
	// Note: once you set a policy to 'none', it cannot be further restricted

	public $defaultSrc     = null; // will default to self if not over-ridden
	public $scriptSrc      = 'self';
	public $styleSrc       = 'self';
	public $imageSrc       = 'self';
	public $baseURI        = null;    // will default to self if not over-ridden
	public $childSrc       = 'self';
	public $connectSrc     = 'self';
	public $fontSrc        = null;
	public $formAction     = 'self';
	public $frameAncestors = null;
	public $mediaSrc       = null;
	public $objectSrc      = 'self';
	public $manifestSrc    = null;

	// mime types allowed; string or array of strings
	public $pluginTypes = null;

	// list of actions allowed; string or array of strings
	public $sandbox = null;

}
Renaming the App\Config namespace to simply Config to make the config files more portable and allow easier modification of app namespace. 2016-02-11 22:59:25 -06:00			`<?php namespace Config;`
Initial start on implementing ContentSecurityPolicy tools. See #6 2015-12-21 15:04:45 -06:00
			`use CodeIgniter\Config\BaseConfig;`

			`/**`
			`* Class ContentSecurityPolicyConfig`
			`*`
			`* Stores the default settings for the ContentSecurityPolicy, if you`
			`* choose to use it. The values here will be read in and set as defaults`
			`* for the site. If needed, they can be overridden on a page-by-page basis.`
			`*`
Allow array options, fix sandbox 2018-12-05 22:28:59 -08:00			`* Suggested reference for explanations:`
			`* https://www.html5rocks.com/en/tutorials/security/content-security-policy/`
			`*`
Renaming the App\Config namespace to simply Config to make the config files more portable and allow easier modification of app namespace. 2016-02-11 22:59:25 -06:00			`* @package Config`
Initial start on implementing ContentSecurityPolicy tools. See #6 2015-12-21 15:04:45 -06:00			`*/`
Renaming ContentSecurityPolicyConfig file 2016-02-11 22:48:32 -06:00			`class ContentSecurityPolicy extends BaseConfig`
Initial start on implementing ContentSecurityPolicy tools. See #6 2015-12-21 15:04:45 -06:00			`{`
Allow array options, fix sandbox 2018-12-05 22:28:59 -08:00			`// broadbrush CSP management`

			`public $reportOnly = false; // default CSP report context`
			`public $reportURI = null; // URL to send violation reports to`
			`public $upgradeInsecureRequests = false; // toggle for forcing https`

			`// sources allowed; string or array of strings`
			`// Note: once you set a policy to 'none', it cannot be further restricted`

Adjust expected results for new defaults 2018-12-06 15:38:02 -08:00			`public $defaultSrc = null; // will default to self if not over-ridden`
Allow array options, fix sandbox 2018-12-05 22:28:59 -08:00			`public $scriptSrc = 'self';`
			`public $styleSrc = 'self';`
			`public $imageSrc = 'self';`
Adjust expected results for new defaults 2018-12-06 15:38:02 -08:00			`public $baseURI = null; // will default to self if not over-ridden`
Change naming and explain better 2018-12-06 13:48:43 -08:00			`public $childSrc = 'self';`
Allow array options, fix sandbox 2018-12-05 22:28:59 -08:00			`public $connectSrc = 'self';`
			`public $fontSrc = null;`
Change naming and explain better 2018-12-06 13:48:43 -08:00			`public $formAction = 'self';`
Initial start on implementing ContentSecurityPolicy tools. See #6 2015-12-21 15:04:45 -06:00			`public $frameAncestors = null;`
Allow array options, fix sandbox 2018-12-05 22:28:59 -08:00			`public $mediaSrc = null;`
Change naming and explain better 2018-12-06 13:48:43 -08:00			`public $objectSrc = 'self';`
Allow array options, fix sandbox 2018-12-05 22:28:59 -08:00			`public $manifestSrc = null;`
Initial start on implementing ContentSecurityPolicy tools. See #6 2015-12-21 15:04:45 -06:00
Allow array options, fix sandbox 2018-12-05 22:28:59 -08:00			`// mime types allowed; string or array of strings`
Initial start on implementing ContentSecurityPolicy tools. See #6 2015-12-21 15:04:45 -06:00			`public $pluginTypes = null;`

Allow array options, fix sandbox 2018-12-05 22:28:59 -08:00			`// list of actions allowed; string or array of strings`
			`public $sandbox = null;`
Initial start on implementing ContentSecurityPolicy tools. See #6 2015-12-21 15:04:45 -06:00
			`}`