1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
<?php
/**
* Matomo - free/libre analytics platform
*
* @link https://matomo.org
* @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
*/
namespace Piwik\View;
use Piwik\Config;
/**
* Content Security Policy HTTP Header management class
*
*/
class SecurityPolicy
{
/*
* Commonly used rules
*/
public const RULE_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval'";
public const RULE_IMG_DEFAULT = "'self' 'unsafe-inline' 'unsafe-eval' data:";
public const RULE_EMBEDDED_FRAME = "'self' 'unsafe-inline' 'unsafe-eval' data: https: http:";
/**
* The policies that will generate the CSP header.
* These are keyed by the directive.
*
* @var array
*/
private $policies = array();
private $cspEnabled;
private $reportOnly;
/**
* Constructor.
*/
public function __construct(Config $config)
{
$this->policies['default-src'] = self::RULE_DEFAULT;
$this->policies['img-src'] = self::RULE_IMG_DEFAULT;
$generalConfig = $config->General;
$this->cspEnabled = $generalConfig['csp_enabled'] ?? true;
$this->reportOnly = $generalConfig['csp_report_only'] ?? false;
}
/**
* Appends a policy to a directive.
*
* @api
*/
public function addPolicy($directive, $value)
{
if (isset($this->policies[$directive])) {
$this->policies[$directive] .= ' ' . $value;
} else {
$this->policies[$directive] = $value;
}
}
/**
* Removes a directive.
*
* @api
*/
public function removeDirective($directive)
{
if (isset($this->policies[$directive])) {
unset($this->policies[$directive]);
}
}
/**
* Overrides a directive.
*
* @api
*/
public function overridePolicy($directive, $value)
{
$this->policies[$directive] = $value;
}
/**
* Disable CSP
*
* @api
*/
public function disable()
{
$this->cspEnabled = false;
}
/**
* Creates the Header String that can be inserted in the Content-Security-Policy header.
*
* @return string
*/
public function createHeaderString()
{
if (!$this->cspEnabled) {
return '';
}
if ($this->reportOnly) {
$headerString = 'Content-Security-Policy-Report-Only: ';
} else {
$headerString = 'Content-Security-Policy: ';
}
foreach ($this->policies as $directive => $values) {
$headerString .= $directive . ' ' . $values . '; ';
}
return $headerString;
}
/**
* A less restrictive CSP which will allow embedding other sites with iframes
* (useful for heatmaps and session recordings)
*
* @api
*/
public function allowEmbedPage()
{
$this->overridePolicy('default-src', self::RULE_EMBEDDED_FRAME);
$this->overridePolicy('img-src', self::RULE_EMBEDDED_FRAME);
$this->addPolicy('script-src', self::RULE_DEFAULT);
}
}
|
