private static function Csp::reduceAttrSourceList in Content-Security-Policy 8

Reduce the list of sources for an *-attr directive.

Parameters

array $sources: An array of sources.

Return value

array The reduced array of sources.

1 call to Csp::reduceAttrSourceList()

Csp::getHeaderValue in src/Csp.php: Get the header value.

File

src/Csp.php, line 502

Class

Csp: A CSP Header.

Namespace

Drupal\csp

Code

private static function reduceAttrSourceList(array $sources) {
  $sources = array_filter($sources, function ($source) {
    return $source[0] === "'" && $source !== "*" && strpos($source, "'nonce-") !== 0;
  });

  // Hashes only work in CSP Level 3 with 'unsafe-hashes'.
  if (!in_array(self::POLICY_UNSAFE_HASHES, $sources)) {
    $sources = array_filter($sources, function ($source) {
      return !preg_match("<'(" . implode('|', self::HASH_ALGORITHMS) . ")-[a-z0-9+/=]+=*'>i", $source);
    });
  }

  // If all set source have been removed, block all.
  if (empty($sources)) {
    $sources = [
      self::POLICY_NONE,
    ];
  }
  return $sources;
}

You are here

private static function Csp::reduceAttrSourceList in Content-Security-Policy 8

Parameters

Return value

File

Class

Namespace

Code

API Navigation