This repository has been archived by the owner on Sep 17, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rewrite classes to use an interface for mocking
- Loading branch information
Showing
9 changed files
with
356 additions
and
264 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
<?php | ||
|
||
declare(strict_types=1); | ||
|
||
namespace Ancarda\Security\Header; | ||
|
||
/** | ||
* Helper class to build a simple Content-Security-Policy header | ||
* | ||
* To use this class, instantiate it, and use the with() methods to build up a | ||
* whitelist of where stylesheets and scripts can come from, as well as where | ||
* connections (XMLHttpRequest and WebSocket) are permitted to go to. | ||
* | ||
* You could use this library as follows: | ||
* | ||
* $csp = new ContentSecurityPolicy(); | ||
* $csp = $csp->withScriptsFromDomain('example.com'); | ||
* $csp = $csp->withStylesheetsFromSelf(); | ||
* header('Content-SecurityPolicy: ' . $csp->compile()); | ||
* | ||
* Alternatively, you may chain these calls: | ||
* | ||
* $csp = new ContentSecurityPolicy(); | ||
* header('Content-Security-Policy: ' . $csp | ||
* ->withScriptsFromDomain('example.com') | ||
* ->withStylesheetsFromSelf() | ||
* ->compile()); | ||
* | ||
* Once you are done, call compile() to get the header value. You can now pass | ||
* this to whatever method you use to set HTTP response headers. | ||
* | ||
* Everything defaults to denied. | ||
*/ | ||
interface ContentSecurityPolicyInterface extends HeaderInterface | ||
{ | ||
/** | ||
* Returns the Content Security Policy nonce value that allows inline content to | ||
* be rendered and executed. | ||
* | ||
* @return string | ||
*/ | ||
public function getNonce(): string; | ||
|
||
/** | ||
* Sets the nonce value used in this policy. | ||
* | ||
* A suitable, random nonce is automatically generated by the constructor, but | ||
* may be changed by this method. The nonce should be at-least 32 characters | ||
* long. | ||
* | ||
* @param string $nonce Random nonce, at-least 32 characters | ||
* @return ContentSecurityPolicyInterface | ||
*/ | ||
public function withNonce(string $nonce): ContentSecurityPolicyInterface; | ||
|
||
/** | ||
* Whitelists executing scripts from the specified domain. | ||
* | ||
* @param string $domain Domain to add | ||
* @return ContentSecurityPolicyInterface | ||
*/ | ||
public function withScriptsFromDomain(string $domain): ContentSecurityPolicyInterface; | ||
|
||
/** | ||
* Whitelists executing scripts on the same domain the policy is active on. | ||
* | ||
* @return ContentSecurityPolicyInterface | ||
*/ | ||
public function withScriptsFromSelf(): ContentSecurityPolicyInterface; | ||
|
||
/** | ||
* Whitelists connecting (XMLHttpRequest and WebSockets) to same domain the | ||
* policy is active on. | ||
* | ||
* @return ContentSecurityPolicyInterface | ||
*/ | ||
public function withConnectToSelf(): ContentSecurityPolicyInterface; | ||
|
||
/** | ||
* Whitelists rendering stylesheets from the specified domain. | ||
* | ||
* @param string $domain Domain to add | ||
* @return ContentSecurityPolicyInterface | ||
*/ | ||
public function withStylesheetsFromDomain(string $domain): ContentSecurityPolicyInterface; | ||
|
||
/** | ||
* Whitelists rendering stylesheets on the same domain the policy is active on. | ||
* | ||
* @return ContentSecurityPolicyInterface | ||
*/ | ||
public function withStylesheetsFromSelf(): ContentSecurityPolicyInterface; | ||
|
||
/** | ||
* Whitelists displaying images from the specified domain. | ||
* | ||
* @param string $domain Domain to add | ||
* @return ContentSecurityPolicyInterface | ||
*/ | ||
public function withImagesFromDomain(string $domain): ContentSecurityPolicyInterface; | ||
|
||
/** | ||
* Whitelists displaying images on the same domain the policy is active on. | ||
* | ||
* @return ContentSecurityPolicyInterface | ||
*/ | ||
public function withImagesFromSelf(): ContentSecurityPolicyInterface; | ||
} |
Oops, something went wrong.