HtmlEmailFooterView.php
2 years ago
HtmlReportEmailHeaderView.php
1 year ago
MethodCallExpression.php
1 year ago
OneClickDone.php
6 months ago
RenderTokenParser.php
1 year ago
SecurityPolicy.php
1 year ago
UIControl.php
2 years ago
ViewInterface.php
1 year ago
SecurityPolicy.php
119 lines
| 1 | <?php |
| 2 | |
| 3 | /** |
| 4 | * Matomo - free/libre analytics platform |
| 5 | * |
| 6 | * @link https://matomo.org |
| 7 | * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later |
| 8 | */ |
| 9 | namespace Piwik\View; |
| 10 | |
| 11 | use Piwik\Config; |
| 12 | /** |
| 13 | * Content Security Policy HTTP Header management class |
| 14 | * |
| 15 | */ |
| 16 | class SecurityPolicy |
| 17 | { |
| 18 | /* |
| 19 | * Commonly used rules |
| 20 | */ |
| 21 | public const RULE_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval'"; |
| 22 | public const RULE_IMG_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval' data:"; |
| 23 | public const RULE_EMBEDDED_FRAME = "'self' 'unsafe-inline' 'unsafe-eval' data: https: http:"; |
| 24 | /** |
| 25 | * The policies that will generate the CSP header. |
| 26 | * These are keyed by the directive. |
| 27 | * |
| 28 | * @var array |
| 29 | */ |
| 30 | private $policies = array(); |
| 31 | private $cspEnabled; |
| 32 | private $reportOnly; |
| 33 | /** |
| 34 | * Constructor. |
| 35 | */ |
| 36 | public function __construct(Config $config) |
| 37 | { |
| 38 | $this->policies['default-src'] = self::RULE_DEFAULT; |
| 39 | $this->policies['img-src'] = self::RULE_IMG_DEFAULT; |
| 40 | $generalConfig = $config->General; |
| 41 | $this->cspEnabled = $generalConfig['csp_enabled'] ?? \true; |
| 42 | $this->reportOnly = $generalConfig['csp_report_only'] ?? \false; |
| 43 | } |
| 44 | /** |
| 45 | * Appends a policy to a directive. |
| 46 | * |
| 47 | * @api |
| 48 | */ |
| 49 | public function addPolicy($directive, $value) |
| 50 | { |
| 51 | if (isset($this->policies[$directive])) { |
| 52 | $this->policies[$directive] .= ' ' . $value; |
| 53 | } else { |
| 54 | $this->policies[$directive] = $value; |
| 55 | } |
| 56 | } |
| 57 | /** |
| 58 | * Removes a directive. |
| 59 | * |
| 60 | * @api |
| 61 | */ |
| 62 | public function removeDirective($directive) |
| 63 | { |
| 64 | if (isset($this->policies[$directive])) { |
| 65 | unset($this->policies[$directive]); |
| 66 | } |
| 67 | } |
| 68 | /** |
| 69 | * Overrides a directive. |
| 70 | * |
| 71 | * @api |
| 72 | */ |
| 73 | public function overridePolicy($directive, $value) |
| 74 | { |
| 75 | $this->policies[$directive] = $value; |
| 76 | } |
| 77 | /** |
| 78 | * Disable CSP |
| 79 | * |
| 80 | * @api |
| 81 | */ |
| 82 | public function disable() |
| 83 | { |
| 84 | $this->cspEnabled = \false; |
| 85 | } |
| 86 | /** |
| 87 | * Creates the Header String that can be inserted in the Content-Security-Policy header. |
| 88 | * |
| 89 | * @return string |
| 90 | */ |
| 91 | public function createHeaderString() |
| 92 | { |
| 93 | if (!$this->cspEnabled) { |
| 94 | return ''; |
| 95 | } |
| 96 | if ($this->reportOnly) { |
| 97 | $headerString = 'Content-Security-Policy-Report-Only: '; |
| 98 | } else { |
| 99 | $headerString = 'Content-Security-Policy: '; |
| 100 | } |
| 101 | foreach ($this->policies as $directive => $values) { |
| 102 | $headerString .= $directive . ' ' . $values . '; '; |
| 103 | } |
| 104 | return $headerString; |
| 105 | } |
| 106 | /** |
| 107 | * A less restrictive CSP which will allow embedding other sites with iframes |
| 108 | * (useful for heatmaps and session recordings) |
| 109 | * |
| 110 | * @api |
| 111 | */ |
| 112 | public function allowEmbedPage() |
| 113 | { |
| 114 | $this->overridePolicy('default-src', self::RULE_EMBEDDED_FRAME); |
| 115 | $this->overridePolicy('img-src', self::RULE_EMBEDDED_FRAME); |
| 116 | $this->addPolicy('script-src', self::RULE_DEFAULT); |
| 117 | } |
| 118 | } |
| 119 |