Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ContentSecurityPolicy testing & enhancement #1581

Merged
merged 7 commits into from
Dec 7, 2018
Merged

ContentSecurityPolicy testing & enhancement #1581

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e0b63d3
Base ContentSecurityPolicy testing & enhancement
jim-parry Dec 3, 2018
9416553
Merge branch 'develop' into testing14/http
jim-parry Dec 3, 2018
c41698f
Refactor: move getHeaderEmitted() to CIUnitTestCase
jim-parry Dec 3, 2018
4f7c1d6
Allow array options, fix sandbox
jim-parry Dec 6, 2018
902a89a
Change naming and explain better
jim-parry Dec 6, 2018
1fa37b0
Merge branch 'develop' into testing14/http
jim-parry Dec 6, 2018
5816b74
Adjust expected results for new defaults
jim-parry Dec 6, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 27 additions & 30 deletions application/Config/ContentSecurityPolicy.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,43 +9,40 @@
* choose to use it. The values here will be read in and set as defaults
* for the site. If needed, they can be overridden on a page-by-page basis.
*
* Suggested reference for explanations:
* https://www.html5rocks.com/en/tutorials/security/content-security-policy/
*
* @package Config
*/
class ContentSecurityPolicy extends BaseConfig
{
public $reportOnly = false;

public $defaultSrc = 'none';

public $scriptSrc = 'self';

public $styleSrc = 'self';

public $imageSrc = 'self';

public $baseURI = 'none';

public $childSrc = null;

public $connectSrc = 'self';

public $fontSrc = null;

public $formAction = null;

// broadbrush CSP management

public $reportOnly = false; // default CSP report context
public $reportURI = null; // URL to send violation reports to
public $upgradeInsecureRequests = false; // toggle for forcing https

// sources allowed; string or array of strings
// Note: once you set a policy to 'none', it cannot be further restricted

public $defaultSrc = null; // will default to self if not over-ridden
public $scriptSrc = 'self';
public $styleSrc = 'self';
public $imageSrc = 'self';
public $baseURI = null; // will default to self if not over-ridden
public $childSrc = 'self';
public $connectSrc = 'self';
public $fontSrc = null;
public $formAction = 'self';
public $frameAncestors = null;
public $mediaSrc = null;
public $objectSrc = 'self';
public $manifestSrc = null;

public $mediaSrc = null;

public $objectSrc = null;

public $manifestSrc = null;

// mime types allowed; string or array of strings
public $pluginTypes = null;

public $reportURI = null;

public $sandbox = false;
// list of actions allowed; string or array of strings
public $sandbox = null;

public $upgradeInsecureRequests = false;
}
Loading