You are here

Home » API reference » Security Kit 8 » SecKitEventSubscriber.php » SecKitEventSubscriber

public function SecKitEventSubscriber::seckitCsp in Security Kit 8

Same name and namespace in other branches
  1. 2.x src/EventSubscriber/SecKitEventSubscriber.php \Drupal\seckit\EventSubscriber\SecKitEventSubscriber::seckitCsp()

Sends Content Security Policy HTTP headers.

Header specifies Content Security Policy (CSP) for a website, which is used to allow/block content from selected sources.

Based on specification available at http://www.w3.org/TR/CSP/

1 call to SecKitEventSubscriber::seckitCsp()
SecKitEventSubscriber::onKernelResponse in src/EventSubscriber/SecKitEventSubscriber.php
Executes actions on the response event.

File

src/EventSubscriber/SecKitEventSubscriber.php, line 197

Class

SecKitEventSubscriber
Subscribing an event.

Namespace

Drupal\seckit\EventSubscriber

Code

public function seckitCsp() {

  // Get default/set options.
  $csp_vendor_prefix_x = $this->config
    ->get('seckit_xss.csp.vendor-prefix.x');
  $csp_vendor_prefix_webkit = $this->config
    ->get('seckit_xss.csp.vendor-prefix.webkit');
  $csp_report_only = $this->config
    ->get('seckit_xss.csp.report-only');
  $csp_default_src = $this->config
    ->get('seckit_xss.csp.default-src');
  $csp_script_src = $this->config
    ->get('seckit_xss.csp.script-src');
  $csp_object_src = $this->config
    ->get('seckit_xss.csp.object-src');
  $csp_img_src = $this->config
    ->get('seckit_xss.csp.img-src');
  $csp_media_src = $this->config
    ->get('seckit_xss.csp.media-src');
  $csp_style_src = $this->config
    ->get('seckit_xss.csp.style-src');
  $csp_frame_src = $this->config
    ->get('seckit_xss.csp.frame-src');
  $csp_frame_ancestors = $this->config
    ->get('seckit_xss.csp.frame-ancestors');
  $csp_child_src = $this->config
    ->get('seckit_xss.csp.child-src');
  $csp_font_src = $this->config
    ->get('seckit_xss.csp.font-src');
  $csp_connect_src = $this->config
    ->get('seckit_xss.csp.connect-src');
  $csp_report_uri = $this->config
    ->get('seckit_xss.csp.report-uri');
  $csp_upgrade_req = $this->config
    ->get('seckit_xss.csp.upgrade-req');

  // $csp_policy_uri = $this->config->get('seckit_xss.csp.policy-uri');
  // Prepare directives.
  $directives = [];

  // If policy-uri is declared, no other directives are permitted.

  /* if ($csp_report_only) {
     $directives = "policy-uri " . base_path() . $csp_report_only;
     } */

  // Otherwise prepare directives.
  // else {.
  if ($csp_default_src) {
    $directives[] = "default-src {$csp_default_src}";
  }
  if ($csp_script_src) {
    $directives[] = "script-src {$csp_script_src}";
  }
  if ($csp_object_src) {
    $directives[] = "object-src {$csp_object_src}";
  }
  if ($csp_style_src) {
    $directives[] = "style-src {$csp_style_src}";
  }
  if ($csp_img_src) {
    $directives[] = "img-src {$csp_img_src}";
  }
  if ($csp_media_src) {
    $directives[] = "media-src {$csp_media_src}";
  }
  if ($csp_frame_src) {
    $directives[] = "frame-src {$csp_frame_src}";
  }
  if ($csp_frame_ancestors) {
    $directives[] = "frame-ancestors {$csp_frame_ancestors}";
  }
  if ($csp_child_src) {
    $directives[] = "child-src {$csp_child_src}";
  }
  if ($csp_font_src) {
    $directives[] = "font-src {$csp_font_src}";
  }
  if ($csp_connect_src) {
    $directives[] = "connect-src {$csp_connect_src}";
  }
  if ($csp_report_uri) {
    $base_path = '';
    if (!UrlHelper::isExternal($csp_report_uri)) {

      // Strip leading slashes from internal paths to prevent them becoming
      // external URLs without protocol. /report-csp-violation should not be
      // turned into //report-csp-violation
      $csp_report_uri = ltrim($csp_report_uri, '/');
      $base_path = base_path();
    }
    $directives[] = "report-uri " . $base_path . $csp_report_uri;
  }
  if ($csp_upgrade_req) {
    $directives[] = 'upgrade-insecure-requests';
  }

  // Merge directives.
  $directives = implode('; ', $directives);

  // }
  // send HTTP response header if directives were prepared.
  if ($directives) {
    if ($csp_report_only) {

      // Use report-only mode.
      $this->response->headers
        ->set('Content-Security-Policy-Report-Only', $directives);
      if ($csp_vendor_prefix_x) {
        $this->response->headers
          ->set('X-Content-Security-Policy-Report-Only', $directives);
      }
      if ($csp_vendor_prefix_webkit) {
        $this->response->headers
          ->set('X-WebKit-CSP-Report-Only', $directives);
      }
    }
    else {
      $this->response->headers
        ->set('Content-Security-Policy', $directives);
      if ($csp_vendor_prefix_x) {
        $this->response->headers
          ->set('X-Content-Security-Policy', $directives);
      }
      if ($csp_vendor_prefix_webkit) {
        $this->response->headers
          ->set('X-WebKit-CSP', $directives);
      }
    }
  }
}