You are here

Home » API reference » Security Kit 6 » seckit.module

function _seckit_csp in Security Kit 6

Same name and namespace in other branches
  1. 7 seckit.module \_seckit_csp()

Sends Content Security Policy HTTP headers.

Header specifies Content Security Policy (CSP) for a website, which is used to allow/block content from selected sources.

Based on specification available at http://www.w3.org/TR/CSP/

1 call to _seckit_csp()
seckit_init in ./seckit.module
Implements hook_init().

File

./seckit.module, line 107
Allows administrators to improve security of the website.

Code

function _seckit_csp() {

  // get default/set options
  $options = _seckit_get_options();
  $options = $options['seckit_xss']['csp'];
  $csp_report_only = $options['report-only'];
  $csp_default_src = $options['default-src'];
  $csp_script_src = $options['script-src'];
  $csp_object_src = $options['object-src'];
  $csp_img_src = $options['img-src'];
  $csp_media_src = $options['media-src'];
  $csp_style_src = $options['style-src'];
  $csp_frame_src = $options['frame-src'];
  $csp_font_src = $options['font-src'];
  $csp_connect_src = $options['connect-src'];
  $csp_report_uri = $options['report-uri'];
  $csp_policy_uri = $options['policy-uri'];

  // prepare directives
  $directives = array();

  // if policy-uri is declared, no other directives are permitted.
  if ($csp_policy_uri) {
    $directives = "policy-uri " . base_path() . $csp_policy_uri;
  }
  else {
    if ($csp_default_src) {
      $directives[] = "default-src {$csp_default_src}";
    }
    if ($csp_script_src) {
      $directives[] = "script-src {$csp_script_src}";
    }
    if ($csp_object_src) {
      $directives[] = "object-src {$csp_object_src}";
    }
    if ($csp_style_src) {
      $directives[] = "style-src {$csp_style_src}";
    }
    if ($csp_img_src) {
      $directives[] = "img-src {$csp_img_src}";
    }
    if ($csp_media_src) {
      $directives[] = "media-src {$csp_media_src}";
    }
    if ($csp_frame_src) {
      $directives[] = "frame-src {$csp_frame_src}";
    }
    if ($csp_font_src) {
      $directives[] = "font-src {$csp_font_src}";
    }
    if ($csp_connect_src) {
      $directives[] = "connect-src {$csp_connect_src}";
    }
    if ($csp_report_uri) {
      $directives[] = "report-uri " . base_path() . $csp_report_uri;
    }

    // merge directives
    $directives = implode('; ', $directives);
  }

  // send HTTP response header if directives were prepared
  if ($directives) {
    if ($csp_report_only) {

      // use report-only mode
      drupal_set_header("Content-Security-Policy-Report-Only: {$directives}");

      // official name
      drupal_set_header("X-Content-Security-Policy-Report-Only: {$directives}");

      // Firefox and IE10
      drupal_set_header("X-WebKit-CSP-Report-Only: {$directives}");

      // Chrome and Safari
    }
    else {
      drupal_set_header("Content-Security-Policy: {$directives}");

      // official name
      drupal_set_header("X-Content-Security-Policy: {$directives}");

      // Firefox and IE10
      drupal_set_header("X-WebKit-CSP: {$directives}");

      // Chrome and Safari
    }
  }
}