You are here

function _seckit_csp in Security Kit 7

Same name and namespace in other branches
  1. 6 seckit.module \_seckit_csp()

Sends Content Security Policy HTTP headers.

Header specifies Content Security Policy (CSP) for a website, which is used to allow/block content from selected sources.

Based on specification available at http://www.w3.org/TR/CSP/

1 call to _seckit_csp()
seckit_init in ./seckit.module
Implements hook_init().

File

./seckit.module, line 238
Allows administrators to improve security of the website.

Code

function _seckit_csp() {

  // get default/set options
  $options = _seckit_get_options();
  $options = $options['seckit_xss']['csp'];
  $csp_vendor_prefix_x = $options['vendor-prefix']['x'];
  $csp_vendor_prefix_webkit = $options['vendor-prefix']['webkit'];
  $csp_report_only = $options['report-only'];
  $csp_default_src = $options['default-src'];
  $csp_script_src = $options['script-src'];
  $csp_object_src = $options['object-src'];
  $csp_img_src = $options['img-src'];
  $csp_media_src = $options['media-src'];
  $csp_style_src = $options['style-src'];
  $csp_frame_src = $options['frame-src'];
  $csp_frame_ancestors = $options['frame-ancestors'];
  $csp_child_src = $options['child-src'];
  $csp_font_src = $options['font-src'];
  $csp_connect_src = $options['connect-src'];
  $csp_report_uri = $options['report-uri'];
  $csp_policy_uri = $options['policy-uri'];
  $csp_upgrade_req = $options['upgrade-req'];

  // prepare directives
  $directives = array();

  // if policy-uri is declared, no other directives are permitted.
  if ($csp_policy_uri) {
    $directives = "policy-uri " . base_path() . $csp_policy_uri;
  }
  else {
    if ($csp_default_src) {
      $directives[] = "default-src {$csp_default_src}";
    }
    if ($csp_script_src) {
      $directives[] = "script-src {$csp_script_src}";
    }
    if ($csp_object_src) {
      $directives[] = "object-src {$csp_object_src}";
    }
    if ($csp_style_src) {
      $directives[] = "style-src {$csp_style_src}";
    }
    if ($csp_img_src) {
      $directives[] = "img-src {$csp_img_src}";
    }
    if ($csp_media_src) {
      $directives[] = "media-src {$csp_media_src}";
    }
    if ($csp_frame_src) {
      $directives[] = "frame-src {$csp_frame_src}";
    }
    if ($csp_frame_ancestors) {
      $directives[] = "frame-ancestors {$csp_frame_ancestors}";
    }
    if ($csp_child_src) {
      $directives[] = "child-src {$csp_child_src}";
    }
    if ($csp_font_src) {
      $directives[] = "font-src {$csp_font_src}";
    }
    if ($csp_connect_src) {
      $directives[] = "connect-src {$csp_connect_src}";
    }
    if ($csp_report_uri) {
      $directives[] = "report-uri " . url($csp_report_uri);
    }
    if ($csp_upgrade_req) {
      $directives[] = 'upgrade-insecure-requests';
    }

    // merge directives
    $directives = implode('; ', $directives);
  }

  // send HTTP response header if directives were prepared
  if ($directives) {
    if ($csp_report_only) {

      // use report-only mode
      drupal_add_http_header('Content-Security-Policy-Report-Only', $directives);
      if ($csp_vendor_prefix_x) {
        drupal_add_http_header('X-Content-Security-Policy-Report-Only', $directives);
      }
      if ($csp_vendor_prefix_webkit) {
        drupal_add_http_header('X-WebKit-CSP-Report-Only', $directives);
      }
    }
    else {
      drupal_add_http_header('Content-Security-Policy', $directives);
      if ($csp_vendor_prefix_x) {
        drupal_add_http_header('X-Content-Security-Policy', $directives);
      }
      if ($csp_vendor_prefix_webkit) {
        drupal_add_http_header('X-WebKit-CSP', $directives);
      }
    }
  }
}