PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / 5.8.2
Matomo Analytics – Powerful, Privacy-First Insights for WordPress v5.8.2
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / View / SecurityPolicy.php
matomo / app / core / View Last commit date
HtmlEmailFooterView.php 2 years ago HtmlReportEmailHeaderView.php 1 year ago MethodCallExpression.php 1 year ago OneClickDone.php 6 months ago RenderTokenParser.php 1 year ago SecurityPolicy.php 1 year ago UIControl.php 2 years ago ViewInterface.php 1 year ago
SecurityPolicy.php
119 lines
1 <?php
2
3 /**
4 * Matomo - free/libre analytics platform
5 *
6 * @link https://matomo.org
7 * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
8 */
9 namespace Piwik\View;
10
11 use Piwik\Config;
12 /**
13 * Content Security Policy HTTP Header management class
14 *
15 */
16 class SecurityPolicy
17 {
18 /*
19 * Commonly used rules
20 */
21 public const RULE_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval'";
22 public const RULE_IMG_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval' data:";
23 public const RULE_EMBEDDED_FRAME = "'self' 'unsafe-inline' 'unsafe-eval' data: https: http:";
24 /**
25 * The policies that will generate the CSP header.
26 * These are keyed by the directive.
27 *
28 * @var array
29 */
30 private $policies = array();
31 private $cspEnabled;
32 private $reportOnly;
33 /**
34 * Constructor.
35 */
36 public function __construct(Config $config)
37 {
38 $this->policies['default-src'] = self::RULE_DEFAULT;
39 $this->policies['img-src'] = self::RULE_IMG_DEFAULT;
40 $generalConfig = $config->General;
41 $this->cspEnabled = $generalConfig['csp_enabled'] ?? \true;
42 $this->reportOnly = $generalConfig['csp_report_only'] ?? \false;
43 }
44 /**
45 * Appends a policy to a directive.
46 *
47 * @api
48 */
49 public function addPolicy($directive, $value)
50 {
51 if (isset($this->policies[$directive])) {
52 $this->policies[$directive] .= ' ' . $value;
53 } else {
54 $this->policies[$directive] = $value;
55 }
56 }
57 /**
58 * Removes a directive.
59 *
60 * @api
61 */
62 public function removeDirective($directive)
63 {
64 if (isset($this->policies[$directive])) {
65 unset($this->policies[$directive]);
66 }
67 }
68 /**
69 * Overrides a directive.
70 *
71 * @api
72 */
73 public function overridePolicy($directive, $value)
74 {
75 $this->policies[$directive] = $value;
76 }
77 /**
78 * Disable CSP
79 *
80 * @api
81 */
82 public function disable()
83 {
84 $this->cspEnabled = \false;
85 }
86 /**
87 * Creates the Header String that can be inserted in the Content-Security-Policy header.
88 *
89 * @return string
90 */
91 public function createHeaderString()
92 {
93 if (!$this->cspEnabled) {
94 return '';
95 }
96 if ($this->reportOnly) {
97 $headerString = 'Content-Security-Policy-Report-Only: ';
98 } else {
99 $headerString = 'Content-Security-Policy: ';
100 }
101 foreach ($this->policies as $directive => $values) {
102 $headerString .= $directive . ' ' . $values . '; ';
103 }
104 return $headerString;
105 }
106 /**
107 * A less restrictive CSP which will allow embedding other sites with iframes
108 * (useful for heatmaps and session recordings)
109 *
110 * @api
111 */
112 public function allowEmbedPage()
113 {
114 $this->overridePolicy('default-src', self::RULE_EMBEDDED_FRAME);
115 $this->overridePolicy('img-src', self::RULE_EMBEDDED_FRAME);
116 $this->addPolicy('script-src', self::RULE_DEFAULT);
117 }
118 }
119