Skip to content

Commit

Permalink
added the remaining configuration directives
Browse files Browse the repository at this point in the history
  • Loading branch information
lupo49 committed Jun 25, 2011
1 parent 019f2c0 commit 66db8c0
Show file tree
Hide file tree
Showing 4 changed files with 141 additions and 28 deletions.
118 changes: 96 additions & 22 deletions action.php
View file
Expand Up @@ -2,7 +2,7 @@

/**
* DokuWiki Content Security Policy (CSP) plugin
*
*
* @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
* @author Matthias Schulte <post@lupo49.de>
* @link http://www.dokuwiki.org/plugin:cspheader
Expand All @@ -16,20 +16,6 @@

class action_plugin_cspheader extends DokuWiki_Action_Plugin {

/**
* return some info
*/
function getInfo() {
return array (
'author' => 'Matthias Schulte',
'email' => 'post@lupo49.de',
'date' => '2011-06-23',
'name' => 'Content Security Policy (CSP) plugin',
'desc' => 'Injects the Content Security Policy (CSP) header.',
'url' => 'http://www.dokuwiki.org/plugin:cspheader',
);
}

/**
* Register the eventhandler.
*/
Expand All @@ -41,17 +27,105 @@ function register(&$controller) {
* Handler for the ACTION_HEADERS_SEND event
*/
function handle_headers_send(&$event, $params) {
// Documentation: https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives
$cspheader = 'X-Content-Security-Policy:';

global $conf;
$cspheader = 'X-Content-Security-Policy: ';
$cspvalues = array();
$addsemicolon = false;

if($this->getConf('enableHeader')) {
// Take care of spaces and semicolons betweeen the directives

// host-expr examples: http://*.foo.com, mail.foo.com:443, https://store.foo.com
// Besides FQDNs there are some keywords which are allowed 'self', 'none' or data:-URIs
// Documentation: https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives

// Set the value for the "allow" directive
// allow host-expr
if($this->getConf('allowValue')) {
$cspheader .= 'allow ' . '\'' . $this->getConf('allowValue') . '\'';
} else {
$cspheader .= 'allow \'self\'';
$allow = 'allow ' . $this->getConf('allowValue');
array_push($cspvalues, $allow);
}

// options [inline-script|eval-script]
if($this->getConf('optionsInline') || $this->getConf('optionsEval')) {
$optionsline = 'options';

if($this->getConf('optionsInline')) $optionsline .= ' inline-script';
if($this->getConf('optionsEval')) $optionsline .= ' eval-script';

array_push($cspvalues, $optionsline);
}

// img-src host-expr
if($this->getConf('imgsrcValue')) {
$imgsrc = 'img-src ' . $this->getConf('imgsrcValue');
array_push($cspvalues, $imgsrc);
}

// media-src host-expr
if($this->getConf('mediasrcValue')) {
$mediasrc = ' media-src ' . $this->getConf('mediasrcValue');
array_push($cspvalues, $mediasrc);
}

// script-src host-expr
if($this->getConf('scriptsrcValue')) {
$scriptsrc = 'script-src ' . $this->getConf('scriptsrcValue');
array_push($cspvalues, $scriptsrc);
}

// object-src host-expr
if($this->getConf('objectsrcValue')) {
$objectsrc = 'object-src ' . $this->getConf('objectsrcValue');
array_push($cspvalues, $objectsrc);
}

// frame-src host-expr
if($this->getConf('framesrcValue')) {
$framesrc = 'frame-src ' . $this->getConf('framesrcValue');
array_push($cspvalues, $framesrc);
}

// font-src host-expr
if($this->getConf('fontsrcValue')) {
$fontsrc = 'font-src ' . $this->getConf('fontsrcValue');
array_push($cspvalues, $fontsrc);
}

// xhr-src host-expr
if($this->getConf('xhrsrcValue')) {
$xhrsrc = 'xhr-src ' . $this->getConf('xhrsrcValue');
array_push($cspvalues, $xhrsrc);
}

// frame-ancestors host-expr
if($this->getConf('frameancestorsValue')) {
$frameancestors = 'frame-ancestors ' . $this->getConf('frameancestorsValue');
array_push($cspvalues, $frameancestors);

}

// style-src host-expr
if($this->getConf('stylesrcValue')) {
$stylesrc = 'style-src ' . $this->getConf('stylesrcValue');
array_push($cspvalues, $stylesrc);
}

// report-uri uri
if($this->getConf('reporturiValue')) {
$reportui = 'report-uri ' . $this->getConf('reporturiValue');
array_push($cspvalues, $reportui);
}

// policy-uri uri
if($this->getConf('policyuriValue')) {
$policyuri = 'policy-uri ' . $this->getConf('policyuriValue');
array_push($cspvalues, $policyuri);
}

// concat each array element seperated by a semicolon and a space
$cspheader .= implode('; ', $cspvalues);

if($conf["allowdebug"]) msg("CSPheader plugin (DEBUG): ". $cspheader);

// add the CSP header to the existing headers
array_push($event->data, $cspheader);
Expand Down
17 changes: 15 additions & 2 deletions conf/default.php
View file
Expand Up @@ -6,5 +6,18 @@
* @author Matthias Schulte <post@lupo49.de>
*/

$conf['enableHeader'] = 0; // Enable/Disable the header
$conf['allowValue'] = 'self'; // Set value for the "allow" directive
$conf['enableHeader'] = 0; // Enable/Disable the header
$conf['allowValue'] = '\'self\''; // Set value for the "allow" directive
$conf['optionsInline'] = 0; // Set values for tha "options inline-script" directive
$conf['optionsEval'] = 0; // Set values for tha "options eval-script" directive
$conf['imgsrcValue'] = '';
$conf['mediasrcValue'] = '';
$conf['scriptsrcValue'] = '';
$conf['objectsrcValue'] = '';
$conf['framesrcValue'] = '';
$conf['fontsrcValue'] = '';
$conf['xhrsrcValue'] = '';
$conf['frameancestorsValue'] = '';
$conf['stylesrcValue'] = '';
$conf['reporturiValue'] = '';
$conf['policyuriValue'] = '';
17 changes: 15 additions & 2 deletions conf/metadata.php
View file
Expand Up @@ -6,5 +6,18 @@
* @author Matthias Schulte <post@lupo49.de>
*/

$meta['enableHeader'] = array('onoff');
$meta['allowValue'] = array('string');
$meta['enableHeader'] = array('onoff');
$meta['allowValue'] = array('string');
$meta['optionsInline'] = array('onoff');
$meta['optionsEval'] = array('onoff');
$meta['imgsrcValue'] = array('string');
$meta['mediasrcValue'] = array('string');
$meta['scriptsrcValue'] = array('string');
$meta['objectsrcValue'] = array('string');
$meta['framesrcValue'] = array('string');
$meta['fontsrcValue'] = array('string');
$meta['xhrsrcValue'] = array('string');
$meta['frameancestorsValue'] = array('string');
$meta['stylesrcValue'] = array('string');
$meta['reporturiValue'] = array('string');
$meta['policyuriValue'] = array('string');
17 changes: 15 additions & 2 deletions lang/en/settings.php
View file
Expand Up @@ -6,5 +6,18 @@
* @author Matthias Schulte <post@lupo49.de>
*/

$lang['enableHeader'] = 'Enables/Disables the CSP-Header';
$lang['allowValue'] = 'Set value for the "allow"-directive (default: self)';
$lang['enableHeader'] = 'Enables/Disables the CSP-Header';
$lang['allowValue'] = 'Set value for the "allow"-directive';
$lang['optionsInline'] = 'Enable/Disable the "options inline-script" directive';
$lang['optionsEval'] = 'Enable/Disable the "options eval-script" directive';
$lang['imgsrcValue'] = 'Set value for the "img-src"-directive';
$lang['mediasrcValue'] = 'Set value for the "media-src"-directive';
$lang['scriptsrcValue'] = 'Set value for the "script-src"-directive';
$lang['objectsrcValue'] = 'Set value for the "object-src"-directive';
$lang['framesrcValue'] = 'Set value for the "framesrc-src"-directive';
$lang['fontsrcValue'] = 'Set value for the "font-src"-directive';
$lang['xhrsrcValue'] = 'Set value for the "xhr-src"-directive';
$lang['frameancestorsValue'] = 'Set value for the "frame-ancestors"-directive';
$lang['stylesrcValue'] = 'Set value for the "style-src"-directive';
$lang['reporturiValue'] = 'Set value for the "report-uri"-directive (URL/Port must be equal to the CSP-Host)';
$lang['policyuriValue'] = 'Set value for the "policy-uri"-directive (conflicts with the other directives, see documentation)';

0 comments on commit 66db8c0

Please sign in to comment.