Merge pull request #3892 from paulbalandan/csp

Update Content Security Policy
codeigniter4 · Nov 27, 2020 · b8c2faa · b8c2faa
2 parents fff69b0 + 791a5e9
commit b8c2faa
Show file tree

Hide file tree

Showing 2 changed files with 173 additions and 98 deletions.
diff --git a/app/Config/ContentSecurityPolicy.php b/app/Config/ContentSecurityPolicy.php
@@ -5,44 +5,155 @@
 use CodeIgniter\Config\BaseConfig;
 
 /**
- * Class ContentSecurityPolicyConfig
- *
  * Stores the default settings for the ContentSecurityPolicy, if you
  * choose to use it. The values here will be read in and set as defaults
  * for the site. If needed, they can be overridden on a page-by-page basis.
  *
  * Suggested reference for explanations:
- *    https://www.html5rocks.com/en/tutorials/security/content-security-policy/
+ *
+ * @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/
  */
 class ContentSecurityPolicy extends BaseConfig
 {
-	// broadbrush CSP management
+	//-------------------------------------------------------------------------
+	// Broadbrush CSP management
+	//-------------------------------------------------------------------------
+
+	/**
+	 * Default CSP report context
+	 *
+	 * @var boolean
+	 */
+	public $reportOnly = false;
 
-	public $reportOnly              = false; // default CSP report context
-	public $reportURI               = null; // URL to send violation reports to
-	public $upgradeInsecureRequests = false; // toggle for forcing https
+	/**
+	 * Specifies a URL where a browser will send reports
+	 * when a content security policy is violated.
+	 *
+	 * @var string|null
+	 */
+	public $reportURI = null;
 
-	// sources allowed; string or array of strings
+	/**
+	 * Instructs user agents to rewrite URL schemes, changing
+	 * HTTP to HTTPS. This directive is for websites with
+	 * large numbers of old URLs that need to be rewritten.
+	 *
+	 * @var boolean
+	 */
+	public $upgradeInsecureRequests = false;
+
+	//-------------------------------------------------------------------------
+	// Sources allowed
 	// Note: once you set a policy to 'none', it cannot be further restricted
+	//-------------------------------------------------------------------------
+
+	/**
+	 * Will default to self if not overridden
+	 *
+	 * @var string|string[]|null
+	 */
+	public $defaultSrc = null;
+
+	/**
+	 * Lists allowed scripts' URLs.
+	 *
+	 * @var string|string[]
+	 */
+	public $scriptSrc = 'self';
+
+	/**
+	 * Lists allowed stylesheets' URLs.
+	 *
+	 * @var string|string[]
+	 */
+	public $styleSrc = 'self';
+
+	/**
+	 * Defines the origins from which images can be loaded.
+	 *
+	 * @var string|string[]
+	 */
+	public $imageSrc = 'self';
+
+	/**
+	 * Restricts the URLs that can appear in a page's `<base>` element.
+	 *
+	 * Will default to self if not overridden
+	 *
+	 * @var string|string[]|null
+	 */
+	public $baseURI = null;
 
-	public $defaultSrc     = null; // will default to self if not over-ridden
-	public $scriptSrc      = 'self';
-	public $styleSrc       = 'self';
-	public $imageSrc       = 'self';
-	public $baseURI        = null;    // will default to self if not over-ridden
-	public $childSrc       = 'self';
-	public $connectSrc     = 'self';
-	public $fontSrc        = null;
-	public $formAction     = 'self';
+	/**
+	 * Lists the URLs for workers and embedded frame contents
+	 *
+	 * @var string|string[]
+	 */
+	public $childSrc = 'self';
+
+	/**
+	 * Limits the origins that you can connect to (via XHR,
+	 * WebSockets, and EventSource).
+	 *
+	 * @var string|string[]
+	 */
+	public $connectSrc = 'self';
+
+	/**
+	 * Specifies the origins that can serve web fonts.
+	 *
+	 * @var string|string[]
+	 */
+	public $fontSrc = null;
+
+	/**
+	 * Lists valid endpoints for submission from `<form>` tags.
+	 *
+	 * @var string|string[]
+	 */
+	public $formAction = 'self';
+
+	/**
+	 * Specifies the sources that can embed the current page.
+	 * This directive applies to `<frame>`, `<iframe>`, `<embed>`,
+	 * and `<applet>` tags. This directive can't be used in
+	 * `<meta>` tags and applies only to non-HTML resources.
+	 *
+	 * @var string|string[]|null
+	 */
 	public $frameAncestors = null;
-	public $mediaSrc       = null;
-	public $objectSrc      = 'self';
-	public $manifestSrc    = null;
 
-	// mime types allowed; string or array of strings
+	/**
+	 * Restricts the origins allowed to deliver video and audio.
+	 *
+	 * @var string|string[]|null
+	 */
+	public $mediaSrc = null;
+
+	/**
+	 * Allows control over Flash and other plugins.
+	 *
+	 * @var string|string[]
+	 */
+	public $objectSrc = 'self';
+
+	/**
+	 * @var string|string[]|null
+	 */
+	public $manifestSrc = null;
+
+	/**
+	 * Limits the kinds of plugins a page may invoke.
+	 *
+	 * @var string|string[]|null
+	 */
 	public $pluginTypes = null;
 
-	// list of actions allowed; string or array of strings
+	/**
+	 * List of actions allowed.
+	 *
+	 * @var string|string[]|null
+	 */
 	public $sandbox = null;
-
 }