You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

ContentSecurityPolicy.php 4.2KB

преди 2 години
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188
  1. <?php
  2. namespace Config;
  3. use CodeIgniter\Config\BaseConfig;
  4. /**
  5. * Stores the default settings for the ContentSecurityPolicy, if you
  6. * choose to use it. The values here will be read in and set as defaults
  7. * for the site. If needed, they can be overridden on a page-by-page basis.
  8. *
  9. * Suggested reference for explanations:
  10. *
  11. * @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/
  12. */
  13. class ContentSecurityPolicy extends BaseConfig
  14. {
  15. //-------------------------------------------------------------------------
  16. // Broadbrush CSP management
  17. //-------------------------------------------------------------------------
  18. /**
  19. * Default CSP report context
  20. *
  21. * @var bool
  22. */
  23. public $reportOnly = false;
  24. /**
  25. * Specifies a URL where a browser will send reports
  26. * when a content security policy is violated.
  27. *
  28. * @var string|null
  29. */
  30. public $reportURI;
  31. /**
  32. * Instructs user agents to rewrite URL schemes, changing
  33. * HTTP to HTTPS. This directive is for websites with
  34. * large numbers of old URLs that need to be rewritten.
  35. *
  36. * @var bool
  37. */
  38. public $upgradeInsecureRequests = false;
  39. //-------------------------------------------------------------------------
  40. // Sources allowed
  41. // Note: once you set a policy to 'none', it cannot be further restricted
  42. //-------------------------------------------------------------------------
  43. /**
  44. * Will default to self if not overridden
  45. *
  46. * @var string|string[]|null
  47. */
  48. public $defaultSrc;
  49. /**
  50. * Lists allowed scripts' URLs.
  51. *
  52. * @var string|string[]
  53. */
  54. public $scriptSrc = 'self';
  55. /**
  56. * Lists allowed stylesheets' URLs.
  57. *
  58. * @var string|string[]
  59. */
  60. public $styleSrc = 'self';
  61. /**
  62. * Defines the origins from which images can be loaded.
  63. *
  64. * @var string|string[]
  65. */
  66. public $imageSrc = 'self';
  67. /**
  68. * Restricts the URLs that can appear in a page's `<base>` element.
  69. *
  70. * Will default to self if not overridden
  71. *
  72. * @var string|string[]|null
  73. */
  74. public $baseURI;
  75. /**
  76. * Lists the URLs for workers and embedded frame contents
  77. *
  78. * @var string|string[]
  79. */
  80. public $childSrc = 'self';
  81. /**
  82. * Limits the origins that you can connect to (via XHR,
  83. * WebSockets, and EventSource).
  84. *
  85. * @var string|string[]
  86. */
  87. public $connectSrc = 'self';
  88. /**
  89. * Specifies the origins that can serve web fonts.
  90. *
  91. * @var string|string[]
  92. */
  93. public $fontSrc;
  94. /**
  95. * Lists valid endpoints for submission from `<form>` tags.
  96. *
  97. * @var string|string[]
  98. */
  99. public $formAction = 'self';
  100. /**
  101. * Specifies the sources that can embed the current page.
  102. * This directive applies to `<frame>`, `<iframe>`, `<embed>`,
  103. * and `<applet>` tags. This directive can't be used in
  104. * `<meta>` tags and applies only to non-HTML resources.
  105. *
  106. * @var string|string[]|null
  107. */
  108. public $frameAncestors;
  109. /**
  110. * The frame-src directive restricts the URLs which may
  111. * be loaded into nested browsing contexts.
  112. *
  113. * @var array|string|null
  114. */
  115. public $frameSrc;
  116. /**
  117. * Restricts the origins allowed to deliver video and audio.
  118. *
  119. * @var string|string[]|null
  120. */
  121. public $mediaSrc;
  122. /**
  123. * Allows control over Flash and other plugins.
  124. *
  125. * @var string|string[]
  126. */
  127. public $objectSrc = 'self';
  128. /**
  129. * @var string|string[]|null
  130. */
  131. public $manifestSrc;
  132. /**
  133. * Limits the kinds of plugins a page may invoke.
  134. *
  135. * @var string|string[]|null
  136. */
  137. public $pluginTypes;
  138. /**
  139. * List of actions allowed.
  140. *
  141. * @var string|string[]|null
  142. */
  143. public $sandbox;
  144. /**
  145. * Nonce tag for style
  146. *
  147. * @var string
  148. */
  149. public $styleNonceTag = '{csp-style-nonce}';
  150. /**
  151. * Nonce tag for script
  152. *
  153. * @var string
  154. */
  155. public $scriptNonceTag = '{csp-script-nonce}';
  156. /**
  157. * Replace nonce tag automatically
  158. *
  159. * @var bool
  160. */
  161. public $autoNonce = true;
  162. }