/
SecurityPolicy.php
92 lines (81 loc) · 2.11 KB
/
SecurityPolicy.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
<?php
/**
* Matomo - free/libre analytics platform
*
* @link https://matomo.org
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
*
*/
namespace Piwik\View;
use Piwik\Config;
/**
* Content Security Policy HTTP Header management class
*
*/
class SecurityPolicy
{
/**
* The policies that will generate the CSP header.
* These are keyed by the directive.
*
* @var array
*/
private $policies = array();
private $cspEnabled = true;
private $reportOnly = false;
/**
* Constructor.
*/
public function __construct(Config $config) {
$this->policies['default-src'] = "'self' 'unsafe-inline' 'unsafe-eval'";
$generalConfig = $config->General;
$this->cspEnabled = $generalConfig['csp_enabled'];
$this->reportOnly = $generalConfig['csp_report_only'];
}
/**
* Appends a policy to a directive.
*
*/
public function addPolicy($directive, $value) {
if (isset($this->policies[$directive])) {
$this->policies[$directive] .= ' ' . $value;
} else {
$this->policies[$directive] = $value;
}
}
/**
* Removes a directive.
*
*/
public function removeDirective($directive) {
if (isset($this->policies[$directive])) {
unset($this->policies[$directive]);
}
}
/**
* Overrides a directive.
*
*/
public function overridePolicy($directive, $value) {
$this->policies[$directive] = $value;
}
/**
* Creates the Header String that can be inserted in the Content-Security-Policy header.
*
* @return string
*/
public function createHeaderString() {
if (!$this->cspEnabled) {
return '';
}
if ($this->reportOnly) {
$headerString = 'Content-Security-Policy-Report-Only: ';
} else {
$headerString = 'Content-Security-Policy: ';
}
foreach ($this->policies as $directive => $values) {
$headerString .= $directive . ' ' . $values . '; ';
}
return $headerString;
}
}