Merge pull request #1581 from jim-parry/testing14/http

ContentSecurityPolicy testing & enhancement
codeigniter4 · Dec 7, 2018 · 4027f38 · 4027f38
2 parents 2568589 + 5816b74
commit 4027f38
Show file tree

Hide file tree

Showing 5 changed files with 610 additions and 143 deletions.
diff --git a/application/Config/ContentSecurityPolicy.php b/application/Config/ContentSecurityPolicy.php
@@ -9,43 +9,40 @@
  * choose to use it. The values here will be read in and set as defaults
  * for the site. If needed, they can be overridden on a page-by-page basis.
  *
+ * Suggested reference for explanations:
+ *    https://www.html5rocks.com/en/tutorials/security/content-security-policy/
+ *
  * @package Config
  */
 class ContentSecurityPolicy extends BaseConfig
 {
-	public $reportOnly = false;
-
-	public $defaultSrc = 'none';
-
-	public $scriptSrc = 'self';
-
-	public $styleSrc = 'self';
-
-	public $imageSrc = 'self';
-
-	public $baseURI = 'none';
-
-	public $childSrc = null;
-
-	public $connectSrc = 'self';
-
-	public $fontSrc = null;
-
-	public $formAction = null;
-
+	// broadbrush CSP management
+
+	public $reportOnly              = false; // default CSP report context
+	public $reportURI               = null; // URL to send violation reports to
+	public $upgradeInsecureRequests = false; // toggle for forcing https
+
+	// sources allowed; string or array of strings
+	// Note: once you set a policy to 'none', it cannot be further restricted
+
+	public $defaultSrc     = null; // will default to self if not over-ridden
+	public $scriptSrc      = 'self';
+	public $styleSrc       = 'self';
+	public $imageSrc       = 'self';
+	public $baseURI        = null;    // will default to self if not over-ridden
+	public $childSrc       = 'self';
+	public $connectSrc     = 'self';
+	public $fontSrc        = null;
+	public $formAction     = 'self';
 	public $frameAncestors = null;
+	public $mediaSrc       = null;
+	public $objectSrc      = 'self';
+	public $manifestSrc    = null;
 
-	public $mediaSrc = null;
-
-	public $objectSrc = null;
-
-	public $manifestSrc = null;
-
+	// mime types allowed; string or array of strings
 	public $pluginTypes = null;
 
-	public $reportURI = null;
-
-	public $sandbox = false;
+	// list of actions allowed; string or array of strings
+	public $sandbox = null;
 
-	public $upgradeInsecureRequests = false;
 }