Merge pull request #1060 from puschie286/AddManifestToCSP

Added manifest to ContentSecurityPolicy
This commit is contained in:
Lonnie Ezell 2018-06-04 22:51:38 -05:00 committed by GitHub
commit d128368513
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 0 deletions

View File

@ -38,6 +38,8 @@ class ContentSecurityPolicy extends BaseConfig
public $mediaSrc = null;
public $objectSrc = null;
public $manifestSrc = null;
public $pluginTypes = null;

View File

@ -140,6 +140,12 @@ class ContentSecurityPolicy
* @var array
*/
protected $styleSrc = [];
/**
* Used for security enforcement
* @var array
*/
protected $manifestSrc = [];
/**
* Used for security enforcement
@ -432,6 +438,26 @@ class ContentSecurityPolicy
return $this;
}
//--------------------------------------------------------------------
/**
* Adds a new valid endpoint for manifest sources. Can be either
* a URI class or simple string.
*
* @see https://www.w3.org/TR/CSP/#directive-manifest-src
*
* @param $uri
* @param bool $reportOnly
*
* @return $this
*/
public function addManifestSrc($uri, bool $reportOnly = false)
{
$this->addOption($uri, 'manifestSrc', $reportOnly);
return $this;
}
//--------------------------------------------------------------------
@ -688,6 +714,7 @@ class ContentSecurityPolicy
'plugin-types' => 'pluginTypes',
'script-src' => 'scriptSrc',
'style-src' => 'styleSrc',
'manifest-src' => 'manifestSrc',
'sandbox' => 'sandbox',
'report-uri' => 'reportURI'
];

View File

@ -179,6 +179,7 @@ class holds a number of methods that map pretty clearly to the appropriate heade
$response->CSP->addFrameAncestor('none', $reportOnly);
$response->CSP->addImageSrc('cdn.example.com', $reportOnly);
$response->CSP->addMediaSrc('cdn.example.com', $reportOnly);
$response->CSP->addManifestSrc('cdn.example.com', $reportOnly);
$response->CSP->addObjectSrc('cdn.example.com', $reportOnly);
$response->CSP->addPluginType('application/pdf', $reportOnly);
$response->CSP->addScriptSrc('scripts.example.com', $reportOnly);