Newer
Older
framework / app / Config / ContentSecurityPolicy.php
@MGatner MGatner on 18 May 2021 3 KB Release v4.1.2
<?php

namespace Config;

use CodeIgniter\Config\BaseConfig;

/**
 * Stores the default settings for the ContentSecurityPolicy, if you
 * choose to use it. The values here will be read in and set as defaults
 * for the site. If needed, they can be overridden on a page-by-page basis.
 *
 * Suggested reference for explanations:
 *
 * @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/
 */
class ContentSecurityPolicy extends BaseConfig
{
	//-------------------------------------------------------------------------
	// Broadbrush CSP management
	//-------------------------------------------------------------------------

	/**
	 * Default CSP report context
	 *
	 * @var boolean
	 */
	public $reportOnly = false;

	/**
	 * Specifies a URL where a browser will send reports
	 * when a content security policy is violated.
	 *
	 * @var string|null
	 */
	public $reportURI = null;

	/**
	 * Instructs user agents to rewrite URL schemes, changing
	 * HTTP to HTTPS. This directive is for websites with
	 * large numbers of old URLs that need to be rewritten.
	 *
	 * @var boolean
	 */
	public $upgradeInsecureRequests = false;

	//-------------------------------------------------------------------------
	// Sources allowed
	// Note: once you set a policy to 'none', it cannot be further restricted
	//-------------------------------------------------------------------------

	/**
	 * Will default to self if not overridden
	 *
	 * @var string|string[]|null
	 */
	public $defaultSrc = null;

	/**
	 * Lists allowed scripts' URLs.
	 *
	 * @var string|string[]
	 */
	public $scriptSrc = 'self';

	/**
	 * Lists allowed stylesheets' URLs.
	 *
	 * @var string|string[]
	 */
	public $styleSrc = 'self';

	/**
	 * Defines the origins from which images can be loaded.
	 *
	 * @var string|string[]
	 */
	public $imageSrc = 'self';

	/**
	 * Restricts the URLs that can appear in a page's `<base>` element.
	 *
	 * Will default to self if not overridden
	 *
	 * @var string|string[]|null
	 */
	public $baseURI = null;

	/**
	 * Lists the URLs for workers and embedded frame contents
	 *
	 * @var string|string[]
	 */
	public $childSrc = 'self';

	/**
	 * Limits the origins that you can connect to (via XHR,
	 * WebSockets, and EventSource).
	 *
	 * @var string|string[]
	 */
	public $connectSrc = 'self';

	/**
	 * Specifies the origins that can serve web fonts.
	 *
	 * @var string|string[]
	 */
	public $fontSrc = null;

	/**
	 * Lists valid endpoints for submission from `<form>` tags.
	 *
	 * @var string|string[]
	 */
	public $formAction = 'self';

	/**
	 * Specifies the sources that can embed the current page.
	 * This directive applies to `<frame>`, `<iframe>`, `<embed>`,
	 * and `<applet>` tags. This directive can't be used in
	 * `<meta>` tags and applies only to non-HTML resources.
	 *
	 * @var string|string[]|null
	 */
	public $frameAncestors = null;

	/**
	 * The frame-src directive restricts the URLs which may
	 * be loaded into nested browsing contexts.
	 *
	 * @var array|string|null
	 */
	public $frameSrc = null;

	/**
	 * Restricts the origins allowed to deliver video and audio.
	 *
	 * @var string|string[]|null
	 */
	public $mediaSrc = null;

	/**
	 * Allows control over Flash and other plugins.
	 *
	 * @var string|string[]
	 */
	public $objectSrc = 'self';

	/**
	 * @var string|string[]|null
	 */
	public $manifestSrc = null;

	/**
	 * Limits the kinds of plugins a page may invoke.
	 *
	 * @var string|string[]|null
	 */
	public $pluginTypes = null;

	/**
	 * List of actions allowed.
	 *
	 * @var string|string[]|null
	 */
	public $sandbox = null;
}