FilesExpand file tree

 phpstan

/

CspService.php

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

96 lines (81 loc) · 2.52 KB

 phpstan

/

CspService.php

Top

File metadata and controls

• Code
• Blame

96 lines (81 loc) · 2.52 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

<?php

namespace BookStack\Util;

use Illuminate\Support\Str;

use Symfony\Component\HttpFoundation\Response;

class CspService

{

/** @var string */

protected $nonce;

public function __construct(string $nonce = '')

{

$this->nonce = $nonce ?: Str::random(24);

}

/**

* Get the nonce value for CSP.

*/

public function getNonce(): string

{

return $this->nonce;

}

/**

* Sets CSP 'script-src' headers to restrict the forms of script that can

* run on the page.

*/

public function setScriptSrc(Response $response)

{

if (config('app.allow_content_scripts')) {

return;

}

$parts = [

'http:',

'https:',

'\'nonce-' . $this->nonce . '\'',

'\'strict-dynamic\'',

];

$value = 'script-src ' . implode(' ', $parts);

$response->headers->set('Content-Security-Policy', $value, false);

}

/**

* Sets CSP "frame-ancestors" headers to restrict the hosts that BookStack can be

* iframed within. Also adjusts the cookie samesite options so that cookies will

* operate in the third-party context.

*/

public function setFrameAncestors(Response $response)

{

$iframeHosts = $this->getAllowedIframeHosts();

array_unshift($iframeHosts, "'self'");

$cspValue = 'frame-ancestors ' . implode(' ', $iframeHosts);

$response->headers->set('Content-Security-Policy', $cspValue, false);

}

/**

* Check if the user has configured some allowed iframe hosts.

*/

public function allowedIFrameHostsConfigured(): bool

{

return count($this->getAllowedIframeHosts()) > 0;

}

/**

* Sets CSP 'object-src' headers to restrict the types of dynamic content

* that can be embedded on the page.

*/

public function setObjectSrc(Response $response)

{

if (config('app.allow_content_scripts')) {

return;

}

$response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);

}

/**

* Sets CSP 'base-uri' headers to restrict what base tags can be set on

* the page to prevent manipulation of relative links.

*/

public function setBaseUri(Response $response)

{

$response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);

}

protected function getAllowedIframeHosts(): array

{

$hosts = config('app.iframe_hosts', '');

return array_filter(explode(' ', $hosts));

}

}