sergio.hinojosa
/
eval-desempeno-v2
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
11 Commits
3 Branches
14MB
Tree: 393020b747
eval-desempeno-v2/app/Config/ContentSecurityPolicy.php

189 lines
4.2KB
Raw Blame History 

  1. <?php

  2. 

  3. namespace Config;

  4. 

  5. use CodeIgniter\Config\BaseConfig;

  6. 

  7. /**

  8.  * Stores the default settings for the ContentSecurityPolicy, if you

  9.  * choose to use it. The values here will be read in and set as defaults

  10.  * for the site. If needed, they can be overridden on a page-by-page basis.

  11.  *

  12.  * Suggested reference for explanations:

  13.  *

  14.  * @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/

  15.  */

  16. class ContentSecurityPolicy extends BaseConfig

  17. {

  18.     //-------------------------------------------------------------------------

  19.     // Broadbrush CSP management

  20.     //-------------------------------------------------------------------------

  21. 

  22.     /**

  23.      * Default CSP report context

  24.      *

  25.      * @var bool

  26.      */

  27.     public $reportOnly = false;

  28. 

  29.     /**

  30.      * Specifies a URL where a browser will send reports

  31.      * when a content security policy is violated.

  32.      *

  33.      * @var string|null

  34.      */

  35.     public $reportURI;

  36. 

  37.     /**

  38.      * Instructs user agents to rewrite URL schemes, changing

  39.      * HTTP to HTTPS. This directive is for websites with

  40.      * large numbers of old URLs that need to be rewritten.

  41.      *

  42.      * @var bool

  43.      */

  44.     public $upgradeInsecureRequests = false;

  45. 

  46.     //-------------------------------------------------------------------------

  47.     // Sources allowed

  48.     // Note: once you set a policy to 'none', it cannot be further restricted

  49.     //-------------------------------------------------------------------------

  50. 

  51.     /**

  52.      * Will default to self if not overridden

  53.      *

  54.      * @var string|string[]|null

  55.      */

  56.     public $defaultSrc;

  57. 

  58.     /**

  59.      * Lists allowed scripts' URLs.

  60.      *

  61.      * @var string|string[]

  62.      */

  63.     public $scriptSrc = 'self';

  64. 

  65.     /**

  66.      * Lists allowed stylesheets' URLs.

  67.      *

  68.      * @var string|string[]

  69.      */

  70.     public $styleSrc = 'self';

  71. 

  72.     /**

  73.      * Defines the origins from which images can be loaded.

  74.      *

  75.      * @var string|string[]

  76.      */

  77.     public $imageSrc = 'self';

  78. 

  79.     /**

  80.      * Restricts the URLs that can appear in a page's `<base>` element.

  81.      *

  82.      * Will default to self if not overridden

  83.      *

  84.      * @var string|string[]|null

  85.      */

  86.     public $baseURI;

  87. 

  88.     /**

  89.      * Lists the URLs for workers and embedded frame contents

  90.      *

  91.      * @var string|string[]

  92.      */

  93.     public $childSrc = 'self';

  94. 

  95.     /**

  96.      * Limits the origins that you can connect to (via XHR,

  97.      * WebSockets, and EventSource).

  98.      *

  99.      * @var string|string[]

  100.      */

  101.     public $connectSrc = 'self';

  102. 

  103.     /**

  104.      * Specifies the origins that can serve web fonts.

  105.      *

  106.      * @var string|string[]

  107.      */

  108.     public $fontSrc;

  109. 

  110.     /**

  111.      * Lists valid endpoints for submission from `<form>` tags.

  112.      *

  113.      * @var string|string[]

  114.      */

  115.     public $formAction = 'self';

  116. 

  117.     /**

  118.      * Specifies the sources that can embed the current page.

  119.      * This directive applies to `<frame>`, `<iframe>`, `<embed>`,

  120.      * and `<applet>` tags. This directive can't be used in

  121.      * `<meta>` tags and applies only to non-HTML resources.

  122.      *

  123.      * @var string|string[]|null

  124.      */

  125.     public $frameAncestors;

  126. 

  127.     /**

  128.      * The frame-src directive restricts the URLs which may

  129.      * be loaded into nested browsing contexts.

  130.      *

  131.      * @var array|string|null

  132.      */

  133.     public $frameSrc;

  134. 

  135.     /**

  136.      * Restricts the origins allowed to deliver video and audio.

  137.      *

  138.      * @var string|string[]|null

  139.      */

  140.     public $mediaSrc;

  141. 

  142.     /**

  143.      * Allows control over Flash and other plugins.

  144.      *

  145.      * @var string|string[]

  146.      */

  147.     public $objectSrc = 'self';

  148. 

  149.     /**

  150.      * @var string|string[]|null

  151.      */

  152.     public $manifestSrc;

  153. 

  154.     /**

  155.      * Limits the kinds of plugins a page may invoke.

  156.      *

  157.      * @var string|string[]|null

  158.      */

  159.     public $pluginTypes;

  160. 

  161.     /**

  162.      * List of actions allowed.

  163.      *

  164.      * @var string|string[]|null

  165.      */

  166.     public $sandbox;

  167. 

  168.     /**

  169.      * Nonce tag for style

  170.      *

  171.      * @var string

  172.      */

  173.     public $styleNonceTag = '{csp-style-nonce}';

  174. 

  175.     /**

  176.      * Nonce tag for script

  177.      *

  178.      * @var string

  179.      */

  180.     public $scriptNonceTag = '{csp-script-nonce}';

  181. 

  182.     /**

  183.      * Replace nonce tag automatically

  184.      *

  185.      * @var bool

  186.      */

  187.     public $autoNonce = true;

  188. }