<?php
namespace Config;
use CodeIgniter\Config\BaseConfig;
/**
* Stores the default settings for the ContentSecurityPolicy, if you
* choose to use it. The values here will be read in and set as defaults
* for the site. If needed, they can be overridden on a page-by-page basis.
*
* Suggested reference for explanations:
*
* @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/
*/
class ContentSecurityPolicy extends BaseConfig
{
// -------------------------------------------------------------------------
// Broadbrush CSP management
// -------------------------------------------------------------------------
/**
* Default CSP report context
*
* @var bool
*/
public $reportOnly = false; // default false
/**
* Specifies a URL where a browser will send reports
* when a content security policy is violated.
*
* @var string|null
*/
public $reportURI;
/**
* Instructs user agents to rewrite URL schemes, changing
* HTTP to HTTPS. This directive is for websites with
* large numbers of old URLs that need to be rewritten.
*
* @var bool
*/
public $upgradeInsecureRequests = false;
// -------------------------------------------------------------------------
// Sources allowed
// Note: once you set a policy to 'none', it cannot be further restricted
// -------------------------------------------------------------------------
/**
* Will default to self if not overridden
*
* @var string|string[]|null
*/
public $defaultSrc;
/**
* Lists allowed scripts' URLs.
*
* @var string|string[]
*/
public $scriptSrc = ['self', 'https://www.youtube.com/']; // default self
/**
* Lists allowed stylesheets' URLs.
*
* @var string|string[]
*/
public $styleSrc = ['self', 'https://fonts.googleapis.com/']; // default self
/**
* Defines the origins from which images can be loaded.
*
* @var string|string[]
*/
public $imageSrc = ['self', 'https://img.youtube.com/', 'data:']; // default self
/**
* Restricts the URLs that can appear in a page's `<base>` element.
*
* Will default to self if not overridden
*
* @var string|string[]|null
*/
public $baseURI;
/**
* Lists the URLs for workers and embedded frame contents
*
* @var string|string[]
*/
public $childSrc = ['self', 'https://www.youtube.com/']; // default self
/**
* Limits the origins that you can connect to (via XHR,
* WebSockets, and EventSource).
*
* @var string|string[]
*/
public $connectSrc = 'self';
/**
* Specifies the origins that can serve web fonts.
*
* @var string|string[]
*/
public $fontSrc = ['self', 'https://fonts.gstatic.com']; // default empty
/**
* Lists valid endpoints for submission from `<form>` tags.
*
* @var string|string[]
*/
public $formAction = 'self';
/**
* Specifies the sources that can embed the current page.
* This directive applies to `<frame>`, `<iframe>`, `<embed>`,
* and `<applet>` tags. This directive can't be used in
* `<meta>` tags and applies only to non-HTML resources.
*
* @var string|string[]|null
*/
public $frameAncestors; // default empty
/**
* The frame-src directive restricts the URLs which may
* be loaded into nested browsing contexts.
*
* @var array|string|null
*/
public $frameSrc;
/**
* Restricts the origins allowed to deliver video and audio.
*
* @var string|string[]|null
*/
public $mediaSrc = ['self', 'blob:']; // default empty
/**
* Allows control over Flash and other plugins.
*
* @var string|string[]
*/
public $objectSrc = 'self';
/**
* @var string|string[]|null
*/
public $manifestSrc;
/**
* Limits the kinds of plugins a page may invoke.
*
* @var string|string[]|null
*/
public $pluginTypes;
/**
* List of actions allowed.
*
* @var string|string[]|null
*/
public $sandbox;
/**
* Nonce tag for style
*
* @var string
*/
public $styleNonceTag = '{csp-style-nonce}';
/**
* Nonce tag for script
*
* @var string
*/
public $scriptNonceTag = '{csp-script-nonce}';
/**
* Replace nonce tag automatically
*
* @var bool
*/
public $autoNonce = false; // true;
}
Content Security Policy with config autoNonce = false;
