|
- <?php
-
- namespace Config;
-
- use CodeIgniter\Config\BaseConfig;
-
- /**
- * Stores the default settings for the ContentSecurityPolicy, if you
- * choose to use it. The values here will be read in and set as defaults
- * for the site. If needed, they can be overridden on a page-by-page basis.
- *
- * Suggested reference for explanations:
- *
- * @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/
- */
- class ContentSecurityPolicy extends BaseConfig
- {
- //-------------------------------------------------------------------------
- // Broadbrush CSP management
- //-------------------------------------------------------------------------
-
- /**
- * Default CSP report context
- *
- * @var bool
- */
- public $reportOnly = false;
-
- /**
- * Specifies a URL where a browser will send reports
- * when a content security policy is violated.
- *
- * @var string|null
- */
- public $reportURI;
-
- /**
- * Instructs user agents to rewrite URL schemes, changing
- * HTTP to HTTPS. This directive is for websites with
- * large numbers of old URLs that need to be rewritten.
- *
- * @var bool
- */
- public $upgradeInsecureRequests = false;
-
- //-------------------------------------------------------------------------
- // Sources allowed
- // Note: once you set a policy to 'none', it cannot be further restricted
- //-------------------------------------------------------------------------
-
- /**
- * Will default to self if not overridden
- *
- * @var string|string[]|null
- */
- public $defaultSrc;
-
- /**
- * Lists allowed scripts' URLs.
- *
- * @var string|string[]
- */
- public $scriptSrc = 'self';
-
- /**
- * Lists allowed stylesheets' URLs.
- *
- * @var string|string[]
- */
- public $styleSrc = 'self';
-
- /**
- * Defines the origins from which images can be loaded.
- *
- * @var string|string[]
- */
- public $imageSrc = 'self';
-
- /**
- * Restricts the URLs that can appear in a page's `<base>` element.
- *
- * Will default to self if not overridden
- *
- * @var string|string[]|null
- */
- public $baseURI;
-
- /**
- * Lists the URLs for workers and embedded frame contents
- *
- * @var string|string[]
- */
- public $childSrc = 'self';
-
- /**
- * Limits the origins that you can connect to (via XHR,
- * WebSockets, and EventSource).
- *
- * @var string|string[]
- */
- public $connectSrc = 'self';
-
- /**
- * Specifies the origins that can serve web fonts.
- *
- * @var string|string[]
- */
- public $fontSrc;
-
- /**
- * Lists valid endpoints for submission from `<form>` tags.
- *
- * @var string|string[]
- */
- public $formAction = 'self';
-
- /**
- * Specifies the sources that can embed the current page.
- * This directive applies to `<frame>`, `<iframe>`, `<embed>`,
- * and `<applet>` tags. This directive can't be used in
- * `<meta>` tags and applies only to non-HTML resources.
- *
- * @var string|string[]|null
- */
- public $frameAncestors;
-
- /**
- * The frame-src directive restricts the URLs which may
- * be loaded into nested browsing contexts.
- *
- * @var array|string|null
- */
- public $frameSrc;
-
- /**
- * Restricts the origins allowed to deliver video and audio.
- *
- * @var string|string[]|null
- */
- public $mediaSrc;
-
- /**
- * Allows control over Flash and other plugins.
- *
- * @var string|string[]
- */
- public $objectSrc = 'self';
-
- /**
- * @var string|string[]|null
- */
- public $manifestSrc;
-
- /**
- * Limits the kinds of plugins a page may invoke.
- *
- * @var string|string[]|null
- */
- public $pluginTypes;
-
- /**
- * List of actions allowed.
- *
- * @var string|string[]|null
- */
- public $sandbox;
-
- /**
- * Nonce tag for style
- *
- * @var string
- */
- public $styleNonceTag = '{csp-style-nonce}';
-
- /**
- * Nonce tag for script
- *
- * @var string
- */
- public $scriptNonceTag = '{csp-script-nonce}';
-
- /**
- * Replace nonce tag automatically
- *
- * @var bool
- */
- public $autoNonce = true;
- }
|
