PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / trunk
Matomo Analytics – Powerful, Privacy-First Insights for WordPress vtrunk
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / View / SecurityPolicy.php
matomo / app / core / View Last commit date
HtmlEmailFooterView.php 2 years ago HtmlReportEmailHeaderView.php 1 month ago MethodCallExpression.php 1 year ago OneClickDone.php 6 months ago RenderTokenParser.php 1 year ago SecurityPolicy.php 1 month ago UIControl.php 1 month ago ViewInterface.php 1 year ago
SecurityPolicy.php
116 lines
1 <?php
2
3 /**
4 * Matomo - free/libre analytics platform
5 *
6 * @link https://matomo.org
7 * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
8 */
9 namespace Piwik\View;
10
11 use Piwik\Config;
12 /**
13 * Content Security Policy HTTP Header management class
14 *
15 */
16 class SecurityPolicy
17 {
18 /*
19 * Commonly used rules
20 */
21 public const RULE_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval'";
22 public const RULE_IMG_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval' data:";
23 public const RULE_EMBEDDED_FRAME = "'self' 'unsafe-inline' 'unsafe-eval' data: https: http:";
24 /**
25 * The policies that will generate the CSP header.
26 * These are keyed by the directive.
27 *
28 * @var array
29 */
30 private $policies = array();
31 private $cspEnabled;
32 private $reportOnly;
33 public function __construct(Config $config)
34 {
35 $this->policies['default-src'] = self::RULE_DEFAULT;
36 $this->policies['img-src'] = self::RULE_IMG_DEFAULT;
37 $generalConfig = $config->General;
38 $this->cspEnabled = $generalConfig['csp_enabled'] ?? \true;
39 $this->reportOnly = $generalConfig['csp_report_only'] ?? \false;
40 }
41 /**
42 * Appends a policy to a directive.
43 *
44 * @api
45 */
46 public function addPolicy($directive, $value)
47 {
48 if (isset($this->policies[$directive])) {
49 $this->policies[$directive] .= ' ' . $value;
50 } else {
51 $this->policies[$directive] = $value;
52 }
53 }
54 /**
55 * Removes a directive.
56 *
57 * @api
58 */
59 public function removeDirective($directive)
60 {
61 if (isset($this->policies[$directive])) {
62 unset($this->policies[$directive]);
63 }
64 }
65 /**
66 * Overrides a directive.
67 *
68 * @api
69 */
70 public function overridePolicy($directive, $value)
71 {
72 $this->policies[$directive] = $value;
73 }
74 /**
75 * Disable CSP
76 *
77 * @api
78 */
79 public function disable()
80 {
81 $this->cspEnabled = \false;
82 }
83 /**
84 * Creates the Header String that can be inserted in the Content-Security-Policy header.
85 *
86 * @return string
87 */
88 public function createHeaderString()
89 {
90 if (!$this->cspEnabled) {
91 return '';
92 }
93 if ($this->reportOnly) {
94 $headerString = 'Content-Security-Policy-Report-Only: ';
95 } else {
96 $headerString = 'Content-Security-Policy: ';
97 }
98 foreach ($this->policies as $directive => $values) {
99 $headerString .= $directive . ' ' . $values . '; ';
100 }
101 return $headerString;
102 }
103 /**
104 * A less restrictive CSP which will allow embedding other sites with iframes
105 * (useful for heatmaps and session recordings)
106 *
107 * @api
108 */
109 public function allowEmbedPage()
110 {
111 $this->overridePolicy('default-src', self::RULE_EMBEDDED_FRAME);
112 $this->overridePolicy('img-src', self::RULE_EMBEDDED_FRAME);
113 $this->addPolicy('script-src', self::RULE_DEFAULT);
114 }
115 }
116