<?php
namespace owasp\csp;
class ContentSecurityPolicy {
const DEFAULT_SRC = 'default-src';
const SCRIPT_SRC = 'script-src';
const OBJECT_SRC = 'object-src';
const STYLE_SRC = 'style-src';
const IMG_SRC = 'img-src';
const MEDIA_SRC = 'media-src';
const FRAME_SRC = 'frame-src';
const FONT_SRC = 'font-src';
const CONNECT_SRC = 'connect-src';
const SOURCE_NONE = "'none'";
const SOURCE_SELF = "'self'";
const SOURCE_UNSAFE_INLINE = "'unsafe-inline'";
const SOURCE_UNSAFE_EVAL = "'unsafe-eval'";
private $policy;
public function __construct() {
$this->policy = array();
$this->setPolicySourceDirectives();
}
private function setPolicySourceDirectives(){
$refl = new \ReflectionClass(__CLASS__);
$srcPattern = '/.+_SRC$/';
foreach ($refl->getConstants() as $constant => $value){
if (preg_match($srcPattern, $constant)){
$this->policy[constant(__CLASS__.'::'.$constant)] = array();
}
}
}
private function copy() {
$retval = new ContentSecurityPolicy();
foreach ($this->policy as $directive => $sources) {
foreach ($sources as $source) {
array_push($retval->policy[$directive], $source);
}
}
return $retval;
}
function addSource($directive, $source) {
if (!isset($this->policy[$directive])) {
throw new CSPException("Invalid directive");
}
$this->policy[$directive][] = $source;
return $this;
}
function toString() {
return $this->__toString();
}
public function __toString(){
$retval = array();
foreach ($this->policy as $directive => $sources) {
if (sizeof($sources) > 0) {
$retval[] = join(' ', array($directive, join(' ', $sources)));
}
}
return 'Content-Security-Policy: ' . join('; ', $retval);
}
}
class CSPException extends \Exception {}
use owasp\csp\ContentSecurityPolicy as CSP;
$csp = new CSP();
$csp->addSource(CSP::DEFAULT_SRC, CSP::SOURCE_SELF) ->addSource(CSP::SCRIPT_SRC, CSP::SOURCE_SELF)
->addSource(CSP::SCRIPT_SRC, 'http://code.jquery.com')
->addSource(CSP::STYLE_SRC, ContentSecurityPolicy::SOURCE_SELF)
->addSource(CSP::STYLE_SRC, 'http://tracker.cztorrent.net/')
->addSource(CSP::FONT_SRC, 'https://fonts.googleapis.com');
echo $csp->toString();
exit("\nDone!\n");
- Output for 5.3.0 - 5.3.29, 5.4.0 - 5.4.45, 5.5.24 - 5.5.35, 5.6.8 - 5.6.28, 7.0.0 - 7.0.20, 7.1.0 - 7.1.25, 7.2.0 - 7.2.33, 7.3.0 - 7.3.33, 7.4.0 - 7.4.33, 8.0.0 - 8.0.30, 8.1.0 - 8.1.28, 8.2.0 - 8.2.18, 8.3.0 - 8.3.6
- Content-Security-Policy: default-src 'self'; script-src 'self' http://code.jquery.com; style-src 'self' http://tracker.cztorrent.net/; font-src https://fonts.googleapis.com
Done!
- Output for 4.4.2 - 4.4.9, 5.1.0 - 5.1.6, 5.2.0 - 5.2.17
- Parse error: syntax error, unexpected T_STRING in /in/UIbvT on line 2
Process exited with code 255. - Output for 4.3.0 - 4.3.1, 4.3.5 - 4.3.11, 4.4.0 - 4.4.1, 5.0.0 - 5.0.5
- Parse error: parse error, unexpected T_STRING in /in/UIbvT on line 2
Process exited with code 255. - Output for 4.3.2 - 4.3.4
- Parse error: parse error in /in/UIbvT on line 2
Process exited with code 255.
preferences:
269.04 ms | 401 KiB | 326 Q