From ee5926e883acca2e9d64e299d54323af211ab9c3 Mon Sep 17 00:00:00 2001 From: Christoph Potas Date: Fri, 1 Jun 2018 14:01:31 +0200 Subject: [PATCH 1/2] + added manifest to ContentSecurityPolicy Signed-off-by: Christoph Potas --- application/Config/ContentSecurityPolicy.php | 2 ++ system/HTTP/ContentSecurityPolicy.php | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/application/Config/ContentSecurityPolicy.php b/application/Config/ContentSecurityPolicy.php index ca46c513f7..2cd5029258 100644 --- a/application/Config/ContentSecurityPolicy.php +++ b/application/Config/ContentSecurityPolicy.php @@ -38,6 +38,8 @@ class ContentSecurityPolicy extends BaseConfig public $mediaSrc = null; public $objectSrc = null; + + public $manifestSrc = null; public $pluginTypes = null; diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index 61f74d9721..1d7dd6f14d 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -140,6 +140,12 @@ class ContentSecurityPolicy * @var array */ protected $styleSrc = []; + + /** + * Used for security enforcement + * @var array + */ + protected $manifestSrc = []; /** * Used for security enforcement @@ -688,6 +694,7 @@ class ContentSecurityPolicy 'plugin-types' => 'pluginTypes', 'script-src' => 'scriptSrc', 'style-src' => 'styleSrc', + 'manifest-src' => 'manifestSrc', 'sandbox' => 'sandbox', 'report-uri' => 'reportURI' ]; From 6c81ee1cc69338cb6f8dcd46e703de778c3eb2a0 Mon Sep 17 00:00:00 2001 From: Christoph Potas Date: Mon, 4 Jun 2018 09:52:58 +0200 Subject: [PATCH 2/2] + added runtime setter + added to libraries/response doc Signed-off-by: Christoph Potas --- system/HTTP/ContentSecurityPolicy.php | 20 ++++++++++++++++++++ user_guide_src/source/libraries/response.rst | 1 + 2 files changed, 21 insertions(+) diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index 1d7dd6f14d..33cc6325e8 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -438,6 +438,26 @@ class ContentSecurityPolicy return $this; } + + //-------------------------------------------------------------------- + + /** + * Adds a new valid endpoint for manifest sources. Can be either + * a URI class or simple string. + * + * @see https://www.w3.org/TR/CSP/#directive-manifest-src + * + * @param $uri + * @param bool $reportOnly + * + * @return $this + */ + public function addManifestSrc($uri, bool $reportOnly = false) + { + $this->addOption($uri, 'manifestSrc', $reportOnly); + + return $this; + } //-------------------------------------------------------------------- diff --git a/user_guide_src/source/libraries/response.rst b/user_guide_src/source/libraries/response.rst index 7c36a0c6bc..8a53b02e6c 100644 --- a/user_guide_src/source/libraries/response.rst +++ b/user_guide_src/source/libraries/response.rst @@ -179,6 +179,7 @@ class holds a number of methods that map pretty clearly to the appropriate heade $response->CSP->addFrameAncestor('none', $reportOnly); $response->CSP->addImageSrc('cdn.example.com', $reportOnly); $response->CSP->addMediaSrc('cdn.example.com', $reportOnly); + $response->CSP->addManifestSrc('cdn.example.com', $reportOnly); $response->CSP->addObjectSrc('cdn.example.com', $reportOnly); $response->CSP->addPluginType('application/pdf', $reportOnly); $response->CSP->addScriptSrc('scripts.example.com', $reportOnly);