Class humhub\modules\web\security\helpers\CSPBuilder

Inheritancehumhub\modules\web\security\helpers\CSPBuilder

Class CSPBuilder from https://github.com/paragonie/csp-builder/blob/master/src/CSPBuilder.php made compatible with PHP 5.6

HumHub Patches:

  • PHP 5.6 compatibility
  • Removed report-to since it borke reporting
  • Added rtrim to compile to remove tailing ;
  • Added report-sample support

Public Methods

Hide inherited methods

MethodDescriptionDefined By
__construct() humhub\modules\web\security\helpers\CSPBuilder
addDirective() Add a directive if it doesn't already exist humhub\modules\web\security\helpers\CSPBuilder
addSource() Add a source to our allow white-list humhub\modules\web\security\helpers\CSPBuilder
allowPluginType() Add a plugin type to be added humhub\modules\web\security\helpers\CSPBuilder
compile() Compile the current policies into a CSP header humhub\modules\web\security\helpers\CSPBuilder
disableHttpsTransformOnHttpsConnections() Disable that HTTP sources get converted to HTTPS if the connection is such. humhub\modules\web\security\helpers\CSPBuilder
disableOldBrowserSupport() Disable old browser support (e.g. Safari) humhub\modules\web\security\helpers\CSPBuilder
enableHttpsTransformOnHttpsConnections() Enable that HTTP sources get converted to HTTPS if the connection is such. humhub\modules\web\security\helpers\CSPBuilder
enableOldBrowserSupport() Enable old browser support (e.g. Safari) humhub\modules\web\security\helpers\CSPBuilder
fromArray() This just passes the array to the constructor, but hopefully will save someone in a hurry from a moment of frustration. humhub\modules\web\security\helpers\CSPBuilder
fromData() Factory method - create a new CSPBuilder object from a JSON data humhub\modules\web\security\helpers\CSPBuilder
fromFile() Factory method - create a new CSPBuilder object from a JSON file humhub\modules\web\security\helpers\CSPBuilder
getCompiledHeader() Get the formatted CSP header humhub\modules\web\security\helpers\CSPBuilder
getHeaderArray() Get an associative array of headers to return. humhub\modules\web\security\helpers\CSPBuilder
getRequireHeaders() humhub\modules\web\security\helpers\CSPBuilder
hash() Add a new hash to the existing CSP humhub\modules\web\security\helpers\CSPBuilder
injectCSPHeader() PSR-7 header injection. humhub\modules\web\security\helpers\CSPBuilder
nonce() Add a new nonce to the existing CSP. Returns the nonce generated. humhub\modules\web\security\helpers\CSPBuilder
preHash() Add a new (pre-calculated) base64-encoded hash to the existing CSP humhub\modules\web\security\helpers\CSPBuilder
requireSRIFor() humhub\modules\web\security\helpers\CSPBuilder
saveSnippet() Save CSP to a snippet file humhub\modules\web\security\helpers\CSPBuilder
sendCSPHeader() Send the compiled CSP as a header() humhub\modules\web\security\helpers\CSPBuilder
setAllowUnsafeEval() Allow/disallow unsafe-eval within a given directive. humhub\modules\web\security\helpers\CSPBuilder
setAllowUnsafeInline() Allow/disallow unsafe-inline within a given directive. humhub\modules\web\security\helpers\CSPBuilder
setBlobAllowed() Allow/disallow blob: URIs for a given directive humhub\modules\web\security\helpers\CSPBuilder
setDataAllowed() Allow/disallow data: URIs for a given directive humhub\modules\web\security\helpers\CSPBuilder
setDirective() Set a directive. humhub\modules\web\security\helpers\CSPBuilder
setFileSystemAllowed() Allow/disallow filesystem: URIs for a given directive humhub\modules\web\security\helpers\CSPBuilder
setMediaStreamAllowed() Allow/disallow mediastream: URIs for a given directive humhub\modules\web\security\helpers\CSPBuilder
setReportUri() Set the Report URI to the desired string. This also sets the 'report-to' component of the CSP header for CSP Level 3 compatibility. humhub\modules\web\security\helpers\CSPBuilder
setSelfAllowed() Allow/disallow self URIs for a given directive humhub\modules\web\security\helpers\CSPBuilder
setStrictDynamic() Set strict-dynamic for a given directive. humhub\modules\web\security\helpers\CSPBuilder
setUnsafeEvalAllowed() humhub\modules\web\security\helpers\CSPBuilder
setUnsafeInlineAllowed() humhub\modules\web\security\helpers\CSPBuilder

Protected Methods

Hide inherited methods

MethodDescriptionDefined By
compileSubgroup() Compile a subgroup into a policy string humhub\modules\web\security\helpers\CSPBuilder
getHeaderKeys() Get an array of header keys to return humhub\modules\web\security\helpers\CSPBuilder
isHTTPSConnection() Is this user currently connected over HTTPS? humhub\modules\web\security\helpers\CSPBuilder

Constants

Hide inherited constants

ConstantValueDescriptionDefined By
FORMAT_APACHE 'apache' humhub\modules\web\security\helpers\CSPBuilder
FORMAT_NGINX 'nginx' humhub\modules\web\security\helpers\CSPBuilder

Property Details

$httpsTransformOnHttpsConnections protected property
$supportOldBrowsers protected property
protected boolean $supportOldBrowsers true

Method Details

__construct() public method

public void __construct ( array $policy = [] )
$policy array
addDirective() public method

Add a directive if it doesn't already exist

If it already exists, do nothing

public self addDirective ( $key, $value null )
$key string
$value mixed
addSource() public method

Add a source to our allow white-list

public self addSource ( $directive, $path )
$directive string
$path string
allowPluginType() public method

Add a plugin type to be added

public self allowPluginType ( $mime 'text/plain' )
$mime string
compile() public method

Compile the current policies into a CSP header

public string compile ( )
throws TypeError
compileSubgroup() protected method

Compile a subgroup into a policy string

protected string compileSubgroup ( $directive, $policies = [] )
$directive string
$policies mixed
disableHttpsTransformOnHttpsConnections() public method

Disable that HTTP sources get converted to HTTPS if the connection is such.

public self disableHttpsTransformOnHttpsConnections ( )
disableOldBrowserSupport() public method

Disable old browser support (e.g. Safari)

public self disableOldBrowserSupport ( )
enableHttpsTransformOnHttpsConnections() public method

Enable that HTTP sources get converted to HTTPS if the connection is such.

This is enabled by default

public self enableHttpsTransformOnHttpsConnections ( )
enableOldBrowserSupport() public method

Enable old browser support (e.g. Safari)

This is enabled by default

public self enableOldBrowserSupport ( )
fromArray() public static method

This just passes the array to the constructor, but hopefully will save someone in a hurry from a moment of frustration.

public static self fromArray ( array $array = [] )
$array array
fromData() public static method

Factory method - create a new CSPBuilder object from a JSON data

public static self fromData ( $data '' )
$data string
throws Exception
fromFile() public static method

Factory method - create a new CSPBuilder object from a JSON file

public static self fromFile ( $filename '' )
$filename string
throws Exception
getCompiledHeader() public method

Get the formatted CSP header

public string getCompiledHeader ( )
getHeaderArray() public method

Get an associative array of headers to return.

public \humhub\modules\web\security\helpers\array getHeaderArray ( $legacy true )
$legacy boolean
return \humhub\modules\web\security\helpers\array

String>

getHeaderKeys() protected method

Get an array of header keys to return

protected array getHeaderKeys ( $legacy true )
$legacy boolean
getRequireHeaders() public method

public \humhub\modules\web\security\helpers\array getRequireHeaders ( )
return \humhub\modules\web\security\helpers\array

Array{0:string, 1:string}>

hash() public method

Add a new hash to the existing CSP

public self hash ( $directive 'script-src', $script '', $algorithm 'sha384' )
$directive string
$script string
$algorithm string
injectCSPHeader() public method

PSR-7 header injection.

This will inject the header into your PSR-7 object. (Request, Response, etc.) This method returns an instance of whatever you passed, so long as it implements MessageInterface.

public \Psr\Http\Message\MessageInterface injectCSPHeader ( \Psr\Http\Message\MessageInterface $message, $legacy false )
$message \Psr\Http\Message\MessageInterface
$legacy boolean
isHTTPSConnection() protected method

Is this user currently connected over HTTPS?

protected boolean isHTTPSConnection ( )
nonce() public method

Add a new nonce to the existing CSP. Returns the nonce generated.

public string nonce ( $directive 'script-src', $nonce '' )
$directive string
$nonce string

(if empty, it will be generated)

throws Exception
preHash() public method

Add a new (pre-calculated) base64-encoded hash to the existing CSP

public self preHash ( $directive 'script-src', $hash '', $algorithm 'sha384' )
$directive string
$hash string
$algorithm string
requireSRIFor() public method

public self requireSRIFor ( $directive )
$directive string
saveSnippet() public method

Save CSP to a snippet file

public boolean saveSnippet ( $outputFile, $format self::FORMAT_NGINX )
$outputFile string

Output file name

$format string

Which format are we saving in?

throws Exception
sendCSPHeader() public method

Send the compiled CSP as a header()

public boolean sendCSPHeader ( $legacy true )
$legacy boolean

Send legacy headers?

throws Exception
setAllowUnsafeEval() public method

Allow/disallow unsafe-eval within a given directive.

public self setAllowUnsafeEval ( $directive '', $allow false )
$directive string
$allow boolean
throws Exception
setAllowUnsafeInline() public method

Allow/disallow unsafe-inline within a given directive.

public self setAllowUnsafeInline ( $directive '', $allow false )
$directive string
$allow boolean
throws Exception
setBlobAllowed() public method

Allow/disallow blob: URIs for a given directive

public self setBlobAllowed ( $directive '', $allow false )
$directive string
$allow boolean
throws Exception
setDataAllowed() public method

Allow/disallow data: URIs for a given directive

public self setDataAllowed ( $directive '', $allow false )
$directive string
$allow boolean
throws Exception
setDirective() public method

Set a directive.

This lets you overwrite a complex directive entirely (e.g. script-src) or set a top-level directive (e.g. report-uri).

public self setDirective ( $key, $value = [] )
$key string
$value mixed
setFileSystemAllowed() public method

Allow/disallow filesystem: URIs for a given directive

public self setFileSystemAllowed ( $directive '', $allow false )
$directive string
$allow boolean
throws Exception
setMediaStreamAllowed() public method

Allow/disallow mediastream: URIs for a given directive

public self setMediaStreamAllowed ( $directive '', $allow false )
$directive string
$allow boolean
throws Exception
setReportUri() public method

Set the Report URI to the desired string. This also sets the 'report-to' component of the CSP header for CSP Level 3 compatibility.

public self setReportUri ( $url '' )
$url string
setSelfAllowed() public method

Allow/disallow self URIs for a given directive

public self setSelfAllowed ( $directive '', $allow false )
$directive string
$allow boolean
throws Exception
setStrictDynamic() public method

Set strict-dynamic for a given directive.

public self setStrictDynamic ( $directive '', $allow false )
$directive string
$allow boolean
throws Exception
setUnsafeEvalAllowed() public method
public self setUnsafeEvalAllowed ( $directive '', $allow false )
$directive string
$allow boolean
throws Exception
setUnsafeInlineAllowed() public method
public self setUnsafeInlineAllowed ( $directive '', $allow false )
$directive string
$allow boolean
throws Exception