You are here

Home » API reference » Content-Security-Policy 8

csp.install in Content-Security-Policy 8

Installation hooks for csp.module.

File

csp.install
View source 
<?php

/**
 * @file
 * Installation hooks for csp.module.
 */

/**
 * Implements hook_requirements().
 */
function csp_requirements($phase) {
  $requirements = [];
  if ($phase === 'runtime') {
    if ((version_compare(\Drupal::VERSION, '8.7', '<') || \Drupal::moduleHandler()
      ->moduleExists('ie9')) && !\Drupal::config('system.performance')
      ->get('css.preprocess')) {
      $tArgs = [
        ':system-performance' => \Drupal::urlGenerator()
          ->generateFromRoute('system.performance_settings'),
        ':change-record-url' => 'https://www.drupal.org/node/2993171',
      ];
      $requirements['csp_ie9'] = [
        'title' => 'Content Security Policy IE9',
        'value' => "'unsafe-inline'",
        'description' => \Drupal::moduleHandler()
          ->moduleExists('ie9') ? t('Support for IE9 requires allowing inline styles when CSS aggregation is disabled.  <br><a href=":system-performance">Enable CSS aggregation</a> to prevent allowing inline CSS.', $tArgs) : t('Legacy support for IE9 requires allowing inline styles when CSS aggregation is disabled.  <br><a href=":system-performance">Enable CSS aggregation</a>, or <a href=":change-record-url">upgrade to Drupal 8.7</a> to prevent allowing inline CSS.', $tArgs),
        'severity' => REQUIREMENT_WARNING,
      ];
    }
    $cspSettingsConfig = \Drupal::config('csp.settings');
    $enabledPolicies = array_filter([
      'report-only',
      'enforce',
    ], function ($policyTypeKey) use ($cspSettingsConfig) {
      return $cspSettingsConfig
        ->get($policyTypeKey . '.enable');
    });
    if (empty($enabledPolicies)) {
      $requirements['csp_enabled'] = [
        'title' => 'Content Security Policy',
        'value' => t('No Content Security Policy headers are currently enabled.'),
        'description' => t('Enable a header via <a href=":csp-settings">the Content Security Policy settings</a>.', [
          ':csp-settings' => \Drupal::urlGenerator()
            ->generateFromRoute('csp.settings'),
        ]),
        'severity' => REQUIREMENT_WARNING,
      ];
    }

    // Warn if CSP is also enabled in Security Kit module configuration.
    if (\Drupal::moduleHandler()
      ->moduleExists('seckit') && \Drupal::config('seckit.settings')
      ->get('seckit_xss.csp.checkbox')) {
      $requirements['csp_seckit'] = [
        'title' => 'Content Security Policy - Security Kit',
        'value' => t('Enabling Content Security Policy in Security Kit is likely to cause policy conflicts.'),
        'description' => t('Disable the Content Security Policy settings in <a href=":seckit-settings">Security Kit configuration</a>.', [
          ':seckit-settings' => \Drupal::urlGenerator()
            ->generateFromRoute('seckit.settings'),
        ]),
        'severity' => REQUIREMENT_WARNING,
      ];
    }
  }
  return $requirements;
}

/**
 * Create module configuration.
 */
function csp_update_8001() {
  \Drupal::configFactory()
    ->getEditable('csp.settings')
    ->set('enforce', FALSE)
    ->save();
}

/**
 * Set default reporting settings.
 */
function csp_update_8002() {
  \Drupal::configFactory()
    ->getEditable('csp.settings')
    ->set('report.handler', 'csp-module')
    ->save();
}

/**
 * Update configuration format.
 */
function csp_update_8003() {
  $config = \Drupal::configFactory()
    ->getEditable('csp.settings');
  $enabledPolicy = 'report-only';
  $disabledPolicy = 'enforce';
  if ($config
    ->get('enforce')) {
    $enabledPolicy = 'enforce';
    $disabledPolicy = 'report-only';
  }
  $config
    ->set($enabledPolicy, [
    'enable' => TRUE,
    'directives' => [
      'script-src' => [
        'base' => 'self',
        'flags' => [
          'unsafe-inline',
        ],
      ],
      'style-src' => [
        'base' => 'self',
      ],
    ],
  ])
    ->set($disabledPolicy, [
    'enable' => FALSE,
  ])
    ->save();
}

/**
 * Update configuration for Reporting Plugins.
 */
function csp_update_8101() {
  $config = \Drupal::configFactory()
    ->getEditable('csp.settings');
  $pluginMap = [
    '' => 'none',
    'report-uri-com' => 'report-uri-com',
    'csp-module' => 'sitelog',
    'uri' => 'uri',
  ];
  $reportConfig = $config
    ->get('report');
  $reportConfig['plugin'] = $pluginMap[$reportConfig['handler']];
  unset($reportConfig['handler']);
  $config
    ->set('report', $reportConfig)
    ->save();
}

/**
 * Update configuration with per-policy reporting settings.
 */
function csp_update_8102() {
  $config = \Drupal::configFactory()
    ->getEditable('csp.settings');
  $reportingOptions = $config
    ->get('report');
  $config
    ->clear('report');
  foreach ([
    'enforce',
    'report-only',
  ] as $policyType) {
    if (!$config
      ->get($policyType . '.enable')) {
      continue;
    }
    $config
      ->set($policyType . '.reporting', $reportingOptions);
  }
  $config
    ->save();
}

Functions

Namesort descending Description
csp_requirements Implements hook_requirements().
csp_update_8001 Create module configuration.
csp_update_8002 Set default reporting settings.
csp_update_8003 Update configuration format.
csp_update_8101 Update configuration for Reporting Plugins.
csp_update_8102 Update configuration with per-policy reporting settings.