malhuda/CodeIgniter4
1
0
Fork 0
mirror of https://github.com/codeigniter4/CodeIgniter4.git synced 2025-02-20 11:44:28 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
CodeIgniter4/outgoing/csp.html
kenjis 32a76fc72b Update User Guide
2023-11-27 23:33:48 +00:00

492 lines
39 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Content Security Policy &mdash; CodeIgniter 4.4.3 documentation</title>
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/css/citheme.css" type="text/css" />
<link rel="stylesheet" href="../_static/css/citheme_dark.css" type="text/css" />
<link rel="shortcut icon" href="../_static/favicon.ico"/>
<!--[if lt IE 9]>
<script src="../_static/js/html5shiv.min.js"></script>
<![endif]-->
<script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script>
<script src="../_static/jquery.js"></script>
<script src="../_static/underscore.js"></script>
<script src="../_static/doctools.js"></script>
<script src="../_static/js/citheme.js"></script>
<script src="../_static/js/carbon.js"></script>
<script src="../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Localization" href="localization.html" />
<link rel="prev" title="API Response Trait" href="api_responses.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../index.html">
<img src="../_static/ci-logo-text.svg" class="logo" alt="Logo"/>
</a>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<ul>
<li class="toctree-l1"><a class="reference internal" href="../intro/index.html">Welcome to CodeIgniter4</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../intro/index.html">Welcome to CodeIgniter4</a></li>
<li class="toctree-l2"><a class="reference internal" href="../intro/requirements.html">Server Requirements</a></li>
<li class="toctree-l2"><a class="reference internal" href="../intro/credits.html">Credits</a></li>
<li class="toctree-l2"><a class="reference internal" href="../intro/psr.html">PSR Compliance</a></li>
<li class="toctree-l2"><a class="reference internal" href="../license.html">License Agreement</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../installation/index.html">Installation</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../installation/installing_composer.html">Composer Installation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/installing_manual.html">Manual Installation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/running.html">Running Your App</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/troubleshooting.html">Troubleshooting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../changelogs/index.html">Change Logs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/upgrading.html">Upgrading From a Previous Version</a></li>
<li class="toctree-l2"><a class="reference internal" href="../installation/repositories.html">CodeIgniter Repositories</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../tutorial/index.html">Build Your First Application</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../tutorial/static_pages.html">Static Pages</a></li>
<li class="toctree-l2"><a class="reference internal" href="../tutorial/news_section.html">News Section</a></li>
<li class="toctree-l2"><a class="reference internal" href="../tutorial/create_news_items.html">Create News Items</a></li>
<li class="toctree-l2"><a class="reference internal" href="../tutorial/conclusion.html">Conclusion</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../concepts/index.html">CodeIgniter4 Overview</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../concepts/structure.html">Application Structure</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/mvc.html">Models, Views, and Controllers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/autoloader.html">Autoloading Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/services.html">Services</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/factories.html">Factories</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/http.html">Working with HTTP Requests</a></li>
<li class="toctree-l2"><a class="reference internal" href="../concepts/security.html">Security Guidelines</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../general/index.html">General Topics</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../general/configuration.html">Configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/urls.html">CodeIgniter URLs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/helpers.html">Helper Functions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/common_functions.html">Global Functions and Constants</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/logging.html">Logging Information</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/errors.html">Error Handling</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/caching.html">Web Page Caching</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/ajax.html">AJAX Requests</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/modules.html">Code Modules</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/managing_apps.html">Managing your Applications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../general/environments.html">Handling Multiple Environments</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../incoming/index.html">Controllers and Routing</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../incoming/routing.html">URI Routing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/controllers.html">Controllers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/filters.html">Controller Filters</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/message.html">HTTP Messages</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/request.html">Request Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/incomingrequest.html">IncomingRequest Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/content_negotiation.html">Content Negotiation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/methodspoofing.html">HTTP Method Spoofing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../incoming/restful.html">RESTful Resource Handling</a></li>
</ul>
</li>
</ul>
<ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Building Responses</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="views.html">Views</a></li>
<li class="toctree-l2"><a class="reference internal" href="view_cells.html">View Cells</a></li>
<li class="toctree-l2"><a class="reference internal" href="view_renderer.html">View Renderer</a></li>
<li class="toctree-l2"><a class="reference internal" href="view_layouts.html">View Layouts</a></li>
<li class="toctree-l2"><a class="reference internal" href="view_parser.html">View Parser</a></li>
<li class="toctree-l2"><a class="reference internal" href="view_decorators.html">View Decorators</a></li>
<li class="toctree-l2"><a class="reference internal" href="table.html">HTML Table Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="response.html">HTTP Responses</a></li>
<li class="toctree-l2"><a class="reference internal" href="api_responses.html">API Response Trait</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Content Security Policy</a></li>
<li class="toctree-l2"><a class="reference internal" href="localization.html">Localization</a></li>
<li class="toctree-l2"><a class="reference internal" href="alternative_php.html">Alternate PHP Syntax for View Files</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../database/index.html">Working with Databases</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../database/examples.html">Quick Start: Usage Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/configuration.html">Database Configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/connecting.html">Connecting to a Database</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/queries.html">Running Queries</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/results.html">Generating Query Results</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/helpers.html">Query Helper Functions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/query_builder.html">Query Builder Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/transactions.html">Transactions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/metadata.html">Getting MetaData</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/call_function.html">Custom Function Calls</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/events.html">Database Events</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/utilities.html">Database Utilities</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../models/index.html">Modeling Data</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../models/model.html">Using CodeIgniter's Model</a></li>
<li class="toctree-l2"><a class="reference internal" href="../models/entities.html">Using Entity Classes</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../dbmgmt/index.html">Managing Databases</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../dbmgmt/forge.html">Database Manipulation with Database Forge</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dbmgmt/migration.html">Database Migrations</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dbmgmt/seeds.html">Database Seeding</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dbmgmt/db_commands.html">Database Commands</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../libraries/index.html">Library Reference</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../libraries/caching.html">Caching Driver</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/cookies.html">Cookies</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/curlrequest.html">CURLRequest Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/email.html">Email Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/encryption.html">Encryption Service</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/files.html">Working with Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/file_collections.html">File Collections</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/honeypot.html">Honeypot Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/images.html">Image Manipulation Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/pagination.html">Pagination</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/publisher.html">Publisher</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/security.html">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/sessions.html">Session Library</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/throttler.html">Throttler</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/time.html">Times and Dates</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/typography.html">Typography</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/uploaded_files.html">Working with Uploaded Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/uri.html">Working with URIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/user_agent.html">User Agent Class</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libraries/validation.html">Validation</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../helpers/index.html">Helpers</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../helpers/array_helper.html">Array Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/cookie_helper.html">Cookie Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/date_helper.html">Date Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/filesystem_helper.html">Filesystem Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/form_helper.html">Form Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/html_helper.html">HTML Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/inflector_helper.html">Inflector Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/number_helper.html">Number Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/security_helper.html">Security Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/test_helper.html">Test Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/text_helper.html">Text Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/url_helper.html">URL Helper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../helpers/xml_helper.html">XML Helper</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../testing/index.html">Testing</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../testing/overview.html">Getting Started</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/database.html">Database</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/fabricator.html">Generating Data</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/controllers.html">Controller Testing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/feature.html">HTTP Testing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/response.html">Testing Responses</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/benchmark.html">Benchmarking</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/debugging.html">Debugging Your Application</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/mocking.html">Mocking</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../cli/index.html">Command Line Usage</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_overview.html">CLI Overview</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_controllers.html">Running Controllers via CLI</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/spark_commands.html">Spark Commands</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_commands.html">Creating Spark Commands</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_generators.html">CLI Generators</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_library.html">CLI Library</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cli/cli_request.html">CLIRequest Class</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../extending/index.html">Extending CodeIgniter</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../extending/core_classes.html">Creating Core System Classes</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/common.html">Replacing Common Functions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/events.html">Events</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/basecontroller.html">Extending the Controller</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/authentication.html">Authentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/composer_packages.html">Creating Composer Packages</a></li>
<li class="toctree-l2"><a class="reference internal" href="../extending/contributing.html">Contributing to CodeIgniter</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../libraries/official_packages.html">Official Packages</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">CodeIgniter</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<a class="btn btn-neutral float-right" href="https://github.com/codeigniter4/CodeIgniter4/edit/develop/user_guide_src/source/outgoing/csp.rst">Edit this page</a>
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="index.html">Building Responses</a></li>
<li class="breadcrumb-item active">Content Security Policy</li>
<li class="wy-breadcrumbs-aside">
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="content-security-policy">
<span id="id1"></span><h1>Content Security Policy<a class="headerlink" href="#content-security-policy" title="Permalink to this headline"></a></h1>
<div class="contents local topic" id="contents">
<ul class="simple">
<li><p><a class="reference internal" href="#what-is-content-security-policy" id="id2">What is Content Security Policy?</a></p></li>
<li><p><a class="reference internal" href="#turning-csp-on" id="id3">Turning CSP On</a></p></li>
<li><p><a class="reference internal" href="#runtime-configuration" id="id4">Runtime Configuration</a></p></li>
<li><p><a class="reference internal" href="#inline-content" id="id5">Inline Content</a></p></li>
</ul>
</div>
<section id="what-is-content-security-policy">
<h2><a class="toc-backref" href="#id2">What is Content Security Policy?</a><a class="headerlink" href="#what-is-content-security-policy" title="Permalink to this headline"></a></h2>
<p>One of the best protections you have against XSS attacks is to implement a Content
Security Policy (CSP) on the site. This requires you to specify and authorize each
source of content that is included in your sites HTML, including images,
stylesheets, JavaScript files, and so on. The browser will reject content from
sources that are not explicitly approved. This authorization is defined within
the responses <code class="docutils literal notranslate"><span class="pre">Content-Security-Policy</span></code> header and offers various configuration
options.</p>
<p>This sounds complex, and on some sites, can definitely be challenging. For many simple sites, though, where all content
is served by the same domain (<a class="reference external" href="http://example.com">http://example.com</a>), it is very simple to integrate.</p>
<p>As this is a complex subject, this user guide will not go over all of the details. For more information, you should
visit the following sites:</p>
<ul class="simple">
<li><p><a class="reference external" href="https://content-security-policy.com/">Content Security Policy main site</a></p></li>
<li><p><a class="reference external" href="https://www.w3.org/TR/CSP">W3C Specification</a></p></li>
<li><p><a class="reference external" href="https://www.html5rocks.com/en/tutorials/security/content-security-policy/">Introduction at HTML5Rocks</a></p></li>
<li><p><a class="reference external" href="https://www.sitepoint.com/improving-web-security-with-the-content-security-policy/">Article at SitePoint</a></p></li>
</ul>
</section>
<section id="turning-csp-on">
<h2><a class="toc-backref" href="#id3">Turning CSP On</a><a class="headerlink" href="#turning-csp-on" title="Permalink to this headline"></a></h2>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>The <a class="reference internal" href="../testing/debugging.html#the-debug-toolbar"><span class="std std-ref">Debug Toolbar</span></a> may use Kint, which
outputs inline scripts. Therefore, when CSP is turned on, CSP nonce is
automatically output for the Debug Toolbar. However, if you are not using
CSP nonce, this will change the CSP header to something you do not intend,
and it will behave differently than in production; if you want to verify CSP
behavior, turn off the Debug Toolbar.</p>
</div>
<p>By default, support for this is off. To enable support in your application, edit the <code class="docutils literal notranslate"><span class="pre">CSPEnabled</span></code> value in
<strong>app/Config/App.php</strong>:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="k">namespace</span> <span class="nx">Config</span><span class="p">;</span>
<span class="k">use</span> <span class="nx">CodeIgniter\Config\BaseConfig</span><span class="p">;</span>
<span class="k">class</span> <span class="nc">App</span> <span class="k">extends</span> <span class="nx">BaseConfig</span>
<span class="p">{</span>
<span class="c1">// ...</span>
<span class="k">public</span> <span class="nx">bool</span> <span class="nv">$CSPEnabled</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>When enabled, the response object will contain an instance of <code class="docutils literal notranslate"><span class="pre">CodeIgniter\HTTP\ContentSecurityPolicy</span></code>. The
values set in <strong>app/Config/ContentSecurityPolicy.php</strong> are applied to that instance, and if no changes are
needed during runtime, then the correctly formatted header is sent and youre all done.</p>
<p>With CSP enabled, two header lines are added to the HTTP response: a <strong>Content-Security-Policy</strong> header, with
policies identifying content types or origins that are explicitly allowed for different
contexts, and a <strong>Content-Security-Policy-Report-Only</strong> header, which identifies content types
or origins that will be allowed but which will also be reported to the destination
of your choice.</p>
<p>Our implementation provides for a default treatment, changeable through the <code class="docutils literal notranslate"><span class="pre">reportOnly()</span></code> method.
When an additional entry is added to a CSP directive, as shown below, it will be added
to the CSP header appropriate for blocking or preventing. That can be overridden on a per
call basis, by providing an optional second parameter to the adding method call.</p>
</section>
<section id="runtime-configuration">
<h2><a class="toc-backref" href="#id4">Runtime Configuration</a><a class="headerlink" href="#runtime-configuration" title="Permalink to this headline"></a></h2>
<p>If your application needs to make changes at run-time, you can access the instance at <code class="docutils literal notranslate"><span class="pre">$this-&gt;response-&gt;getCSP()</span></code> in your controllers. The
class holds a number of methods that map pretty clearly to the appropriate header value that you need to set.
Examples are shown below, with different combinations of parameters, though all accept either a directive
name or an array of them:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="c1">// get the CSP instance</span>
<span class="nv">$csp</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">response</span><span class="o">-&gt;</span><span class="na">getCSP</span><span class="p">();</span>
<span class="c1">// specify the default directive treatment</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">reportOnly</span><span class="p">(</span><span class="k">false</span><span class="p">);</span>
<span class="c1">// specify the origin to use if none provided for a directive</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">setDefaultSrc</span><span class="p">(</span><span class="s1">&#39;cdn.example.com&#39;</span><span class="p">);</span>
<span class="c1">// specify the URL that &quot;report-only&quot; reports get sent to</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">setReportURI</span><span class="p">(</span><span class="s1">&#39;http://example.com/csp/reports&#39;</span><span class="p">);</span>
<span class="c1">// specify that HTTP requests be upgraded to HTTPS</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">upgradeInsecureRequests</span><span class="p">(</span><span class="k">true</span><span class="p">);</span>
<span class="c1">// add types or origins to CSP directives</span>
<span class="c1">// assuming that the default treatment is to block rather than just report</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addBaseURI</span><span class="p">(</span><span class="s1">&#39;example.com&#39;</span><span class="p">,</span> <span class="k">true</span><span class="p">);</span> <span class="c1">// report only</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addChildSrc</span><span class="p">(</span><span class="s1">&#39;https://youtube.com&#39;</span><span class="p">);</span> <span class="c1">// blocked</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addConnectSrc</span><span class="p">(</span><span class="s1">&#39;https://*.facebook.com&#39;</span><span class="p">,</span> <span class="k">false</span><span class="p">);</span> <span class="c1">// blocked</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addFontSrc</span><span class="p">(</span><span class="s1">&#39;fonts.example.com&#39;</span><span class="p">);</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addFormAction</span><span class="p">(</span><span class="s1">&#39;self&#39;</span><span class="p">);</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addFrameAncestor</span><span class="p">(</span><span class="s1">&#39;none&#39;</span><span class="p">,</span> <span class="k">true</span><span class="p">);</span> <span class="c1">// report this one</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addImageSrc</span><span class="p">(</span><span class="s1">&#39;cdn.example.com&#39;</span><span class="p">);</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addMediaSrc</span><span class="p">(</span><span class="s1">&#39;cdn.example.com&#39;</span><span class="p">);</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addManifestSrc</span><span class="p">(</span><span class="s1">&#39;cdn.example.com&#39;</span><span class="p">);</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addObjectSrc</span><span class="p">(</span><span class="s1">&#39;cdn.example.com&#39;</span><span class="p">,</span> <span class="k">false</span><span class="p">);</span> <span class="c1">// reject from here</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addPluginType</span><span class="p">(</span><span class="s1">&#39;application/pdf&#39;</span><span class="p">,</span> <span class="k">false</span><span class="p">);</span> <span class="c1">// reject this media type</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addScriptSrc</span><span class="p">(</span><span class="s1">&#39;scripts.example.com&#39;</span><span class="p">,</span> <span class="k">true</span><span class="p">);</span> <span class="c1">// allow but report requests from here</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addStyleSrc</span><span class="p">(</span><span class="s1">&#39;css.example.com&#39;</span><span class="p">);</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addSandbox</span><span class="p">([</span><span class="s1">&#39;allow-forms&#39;</span><span class="p">,</span> <span class="s1">&#39;allow-scripts&#39;</span><span class="p">]);</span>
</pre></div>
</div>
<p>The first parameter to each of the “add” methods is an appropriate string value,
or an array of them.</p>
<p>The <code class="docutils literal notranslate"><span class="pre">reportOnly()</span></code> method allows you to specify the default reporting treatment
for subsequent sources, unless over-ridden. For instance, you could specify
that youtube.com was allowed, and then provide several allowed but reported sources:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="o">&lt;?</span><span class="nx">php</span>
<span class="c1">// get the CSP instance</span>
<span class="nv">$csp</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">response</span><span class="o">-&gt;</span><span class="na">getCSP</span><span class="p">();</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addChildSrc</span><span class="p">(</span><span class="s1">&#39;https://youtube.com&#39;</span><span class="p">);</span> <span class="c1">// allowed</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">reportOnly</span><span class="p">(</span><span class="k">true</span><span class="p">);</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addChildSrc</span><span class="p">(</span><span class="s1">&#39;https://metube.com&#39;</span><span class="p">);</span> <span class="c1">// allowed but reported</span>
<span class="nv">$csp</span><span class="o">-&gt;</span><span class="na">addChildSrc</span><span class="p">(</span><span class="s1">&#39;https://ourtube.com&#39;</span><span class="p">,</span> <span class="k">false</span><span class="p">);</span> <span class="c1">// allowed</span>
</pre></div>
</div>
</section>
<section id="inline-content">
<h2><a class="toc-backref" href="#id5">Inline Content</a><a class="headerlink" href="#inline-content" title="Permalink to this headline"></a></h2>
<p>It is possible to set a website to not protect even inline scripts and styles on its own pages, since this might have
been the result of user-generated content. To protect against this, CSP allows you to specify a nonce within the
<code class="docutils literal notranslate"><span class="pre">&lt;style&gt;</span></code> and <code class="docutils literal notranslate"><span class="pre">&lt;script&gt;</span></code> tags, and to add those values to the responses header. This is a pain to handle in real
life, and is most secure when generated on the fly. To make this simple, you can include a <code class="docutils literal notranslate"><span class="pre">{csp-style-nonce}</span></code> or
<code class="docutils literal notranslate"><span class="pre">{csp-script-nonce}</span></code> placeholder in the tag and it will be handled for you automatically:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="c1">// Original</span>
<span class="o">&lt;</span><span class="nx">script</span> <span class="p">{</span><span class="nx">csp</span><span class="o">-</span><span class="nx">script</span><span class="o">-</span><span class="nx">nonce</span><span class="p">}</span><span class="o">&gt;</span>
<span class="nx">console</span><span class="o">.</span><span class="nb">log</span><span class="p">(</span><span class="s2">&quot;Script won&#39;t run as it doesn&#39;t contain a nonce attribute&quot;</span><span class="p">);</span>
<span class="o">&lt;/</span><span class="nx">script</span><span class="o">&gt;</span>
<span class="c1">// Becomes</span>
<span class="o">&lt;</span><span class="nx">script</span> <span class="nx">nonce</span><span class="o">=</span><span class="s2">&quot;Eskdikejidojdk978Ad8jf&quot;</span><span class="o">&gt;</span>
<span class="nx">console</span><span class="o">.</span><span class="nb">log</span><span class="p">(</span><span class="s2">&quot;Script won&#39;t run as it doesn&#39;t contain a nonce attribute&quot;</span><span class="p">);</span>
<span class="o">&lt;/</span><span class="nx">script</span><span class="o">&gt;</span>
<span class="c1">// OR</span>
<span class="o">&lt;</span><span class="nx">style</span> <span class="p">{</span><span class="nx">csp</span><span class="o">-</span><span class="nx">style</span><span class="o">-</span><span class="nx">nonce</span><span class="p">}</span><span class="o">&gt;</span>
<span class="o">.</span> <span class="o">.</span> <span class="o">.</span>
<span class="o">&lt;/</span><span class="nx">style</span><span class="o">&gt;</span>
</pre></div>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>If an attacker injects a string like <code class="docutils literal notranslate"><span class="pre">&lt;script</span> <span class="pre">{csp-script-nonce}&gt;</span></code>, it might become the real nonce attribute with this functionality. You can customize the placeholder string with the <code class="docutils literal notranslate"><span class="pre">$scriptNonceTag</span></code> and <code class="docutils literal notranslate"><span class="pre">$styleNonceTag</span></code> properties in <strong>app/Config/ContentSecurityPolicy.php</strong>.</p>
</div>
<p>If you dont like this auto replacement functionality, you can turn it off with setting <code class="docutils literal notranslate"><span class="pre">$autoNonce</span> <span class="pre">=</span> <span class="pre">false</span></code> in <strong>app/Config/ContentSecurityPolicy.php</strong>.</p>
<p>In this case, you can use the functions, <a class="reference internal" href="../general/common_functions.html#csp_script_nonce" title="csp_script_nonce"><code class="xref php php-func docutils literal notranslate"><span class="pre">csp_script_nonce()</span></code></a> and <a class="reference internal" href="../general/common_functions.html#csp_style_nonce" title="csp_style_nonce"><code class="xref php php-func docutils literal notranslate"><span class="pre">csp_style_nonce()</span></code></a>:</p>
<div class="highlight-html+php notranslate"><div class="highlight"><pre><span></span><span class="c1">// Original</span>
<span class="o">&lt;</span><span class="nx">script</span> <span class="o">&lt;?=</span> <span class="nx">csp_script_nonce</span><span class="p">()</span> <span class="cp">?&gt;</span>&gt;
console.log(&quot;Script won&#39;t run as it doesn&#39;t contain a nonce attribute&quot;);
<span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
// Becomes
<span class="p">&lt;</span><span class="nt">script</span> <span class="na">nonce</span><span class="o">=</span><span class="s">&quot;Eskdikejidojdk978Ad8jf&quot;</span><span class="p">&gt;</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">&quot;Script won&#39;t run as it doesn&#39;t contain a nonce attribute&quot;</span><span class="p">);</span>
<span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
// OR
<span class="p">&lt;</span><span class="nt">style</span> <span class="cp">&lt;?</span><span class="o">=</span> <span class="nx">csp_style_nonce</span><span class="p">()</span> <span class="cp">?&gt;</span><span class="p">&gt;</span>
<span class="w"> </span><span class="o">.</span><span class="w"> </span><span class="o">.</span><span class="w"> </span><span class="o">.</span>
<span class="p">&lt;/</span><span class="nt">style</span><span class="p">&gt;</span>
</pre></div>
</div>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="api_responses.html" class="btn btn-neutral float-left" title="API Response Trait" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="localization.html" class="btn btn-neutral float-right" title="Localization" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2019-2023 CodeIgniter Foundation.
<span class="lastupdated">Last updated on Nov 27, 2023.
</span></p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(false);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink