Methods
public
__construct(ContentSecurityPolicy $config
Constructor.
Constructor.
Stores our default values from the Config file.
#
public
enabled(): bool
Whether Content Security Policy is being enforced.
Whether Content Security Policy is being enforced.
#
public
getStyleNonce(): string
Get the nonce for the style tag.
Get the nonce for the style tag.
#
public
getScriptNonce(): string
Get the nonce for the script tag.
Get the nonce for the script tag.
#
public
finalize(ResponseInterface $response
Compiles and sets the appropriate headers in the request.
Compiles and sets the appropriate headers in the request.
Should be called just prior to sending the response to the user agent.
#
public
reportOnly(bool $value = true ): $this
If TRUE, nothing will be restricted. Instead all violations will
be reported to the reportURI for monitoring. This is…
If TRUE, nothing will be restricted. Instead all violations will
be reported to the reportURI for monitoring. This is useful when
you are just starting to implement the policy, and will help
determine what errors need to be addressed before you turn on
all filtering.
#
public
addBaseURI(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new base_uri value. Can be either a URI class or a simple string.
Adds a new base_uri value. Can be either a URI class or a simple string.
base_uri restricts the URLs that can appear in a page’s
#
public
addChildSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for a form's action. Can be either
a URI class or a simple string.
Adds a new valid endpoint for a form's action. Can be either
a URI class or a simple string.
child-src lists the URLs for workers and embedded frame contents.
For example: child-src https://youtube.com would enable embedding
videos from YouTube but not from other origins.
#
public
addConnectSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for a form's action. Can be either
a URI class or a simple string.
Adds a new valid endpoint for a form's action. Can be either
a URI class or a simple string.
connect-src limits the origins to which you can connect
(via XHR, WebSockets, and EventSource).
#
public
setDefaultSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for a form's action. Can be either
a URI class or a simple string.
Adds a new valid endpoint for a form's action. Can be either
a URI class or a simple string.
default_src is the URI that is used for many of the settings when
no other source has been set.
#
public
addFontSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for a form's action. Can be either
a URI class or a simple string.
Adds a new valid endpoint for a form's action. Can be either
a URI class or a simple string.
font-src specifies the origins that can serve web fonts.
#
public
addFormAction(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for a form's action. Can be either
a URI class or a simple string.
Adds a new valid endpoint for a form's action. Can be either
a URI class or a simple string.
#
public
addFrameAncestor(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new resource that should allow embedding the resource using
<frame>, <iframe>, <object>, <embed>, or <applet>
Adds a new resource that should allow embedding the resource using
, <iframe>,
, , or
#
public
addFrameSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for valid frame sources. Can be either
a URI class or a simple string.
Adds a new valid endpoint for valid frame sources. Can be either
a URI class or a simple string.
#
public
addImageSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for valid image sources. Can be either
a URI class or a simple string.
Adds a new valid endpoint for valid image sources. Can be either
a URI class or a simple string.
#
public
addMediaSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for valid video and audio. Can be either
a URI class or a simple string.
Adds a new valid endpoint for valid video and audio. Can be either
a URI class or a simple string.
#
public
addManifestSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for manifest sources. Can be either
a URI class or simple string.
Adds a new valid endpoint for manifest sources. Can be either
a URI class or simple string.
#
public
addObjectSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for Flash and other plugin sources. Can be either
a URI class or a simple string.
Adds a new valid endpoint for Flash and other plugin sources. Can be either
a URI class or a simple string.
#
public
addPluginType(array|string $mime , ?bool $explicitReporting = null ): $this
Limits the types of plugins that can be used. Can be either
a URI class or a simple string.
Limits the types of plugins that can be used. Can be either
a URI class or a simple string.
Parameters
$mime One or more plugin mime types, separate by spaces
#
public
setReportURI(string $uri ): $this
Specifies a URL where a browser will send reports when a content
security policy is violated. Can be either a URI class…
Specifies a URL where a browser will send reports when a content
security policy is violated. Can be either a URI class or a simple string.
#
public
addSandbox(array|string $flags , ?bool $explicitReporting = null ): $this
specifies an HTML sandbox policy that the user agent applies to
the protected resource.
specifies an HTML sandbox policy that the user agent applies to
the protected resource.
Parameters
$flags An array of sandbox flags that can be added to the directive.
#
public
addScriptSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for javascript file sources. Can be either
a URI class or a simple string.
Adds a new valid endpoint for javascript file sources. Can be either
a URI class or a simple string.
#
public
addStyleSrc(array|string $uri , ?bool $explicitReporting = null ): $this
Adds a new valid endpoint for CSS file sources. Can be either
a URI class or a simple string.
Adds a new valid endpoint for CSS file sources. Can be either
a URI class or a simple string.
#
public
upgradeInsecureRequests(bool $value = true ): $this
Sets whether the user agents should rewrite URL schemes, changing
HTTP to HTTPS.
Sets whether the user agents should rewrite URL schemes, changing
HTTP to HTTPS.
#
protected
addOption(array|string $options , string $target , ?bool $explicitReporting = null )
DRY method to add an string or array to a class property.
DRY method to add an string or array to a class property.
#
protected
generateNonces(ResponseInterface $response
Scans the body of the request message and replaces any nonce
placeholders with actual nonces, that we'll then add to…
Scans the body of the request message and replaces any nonce
placeholders with actual nonces, that we'll then add to our
headers.
#
protected
buildHeaders(ResponseInterface $response
Based on the current state of the elements, will add the appropriate
Content-Security-Policy and Content-Security…
Based on the current state of the elements, will add the appropriate
Content-Security-Policy and Content-Security-Policy-Report-Only headers
with their values to the response object.
#
protected
addToHeader(string $name , array|string|null $values = null )
Adds a directive and it's options to the appropriate header. The $values
array might have options that are geared…
Adds a directive and it's options to the appropriate header. The $values
array might have options that are geared toward either the regular or the
reportOnly header, since it's viable to have both simultaneously.
#