1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187:
<?php
namespace Coast;
use Coast\App\Access;
use Coast\App\Executable;
use Coast\Request;
use Coast\Response;
use Coast\Url;
class Csp implements Access, Executable
{
use Access\Implementation;
use Executable\Implementation;
protected $_nonce;
protected $_isReportOnly = false;
protected $_reportUrl;
protected $_groups = [];
protected $_directives = [];
public function __construct(array $options = array())
{
foreach ($options as $name => $value) {
if ($name[0] == '_') {
throw new \Coast\Exception("Access to '{$name}' is prohibited");
}
$this->$name($value);
}
}
public function reportUrl(Url $reportUrl = null)
{
if (func_num_args() > 0) {
$this->_reportUrl = $reportUrl;
return $this;
}
return $this->_reportUrl;
}
public function isReportOnly($isReportOnly = null)
{
if (func_num_args() > 0) {
$this->_isReportOnly = (bool) $isReportOnly;
return $this;
}
return $this->_isReportOnly;
}
public function group($name, $value = null)
{
if (func_num_args() > 1) {
$this->_groups[$name] = $value;
return $this;
}
return $this->_groups[$name];
}
public function groups(array $groups = null)
{
if (func_num_args() > 0) {
foreach ($groups as $name => $value) {
$this->group($name, $value);
}
return $this;
}
return $this->_groups;
}
public function directive($name, $value = null)
{
if (func_num_args() > 1) {
$this->_directives[$name] = $value;
return $this;
}
return $this->_directives[$name];
}
public function directives(array $directives = null)
{
if (func_num_args() > 0) {
foreach ($directives as $name => $value) {
$this->directive($name, $value);
}
return $this;
}
return $this->_directives;
}
public function groupSource($group, $value)
{
$this->_groups[$group][] = $value;
return $this;
}
public function groupSources($group, array $values)
{
foreach ($values as $value) {
$this->groupSource($group, $value);
}
return $this;
}
public function directiveSource($directive, $value)
{
$this->_directives[$directive][] = $value;
return $this;
}
public function directiveSources($directive, array $values)
{
foreach ($values as $value) {
$this->directiveSource($directive, $value);
}
return $this;
}
public function nonce()
{
if (!isset($this->_nonce)) {
$this->_nonce = \Coast\pseudo_random();
}
return $this->_nonce;
}
public function toString()
{
$parts = [];
foreach ($this->_directives as $name => $sources) {
$parts[] = "{$name} {$this->_parseSources($sources)}";
}
if (isset($this->_reportUrl)) {
$parts[] = "report-uri {$this->_reportUrl}";
}
return implode('; ', $parts);
}
protected function _parseSources(array $sources)
{
if (!is_array($sources)) {
$sources = [$sources];
}
$parts = [];
foreach ($sources as $i => $value) {
if (!is_array($value) && isset($this->_groups[$value])) {
$value = $this->_groups[$value];
}
if (is_array($value)) {
$value = $this->_parseSources($value);
} else if (preg_match('/^(none|self|unsafe-inline|unsafe-eval|(nonce|sha256|sha384|sha512)-.+)$/i', $value)) {
$value = "'{$value}'";
} else if ($value == 'nonce') {
$value = "'nonce-{$this->nonce()}'";
}
$parts[] = $value;
}
return implode(' ', $parts);
}
public function postExecute(Request $req, Response $res)
{
$header = $this->_isReportOnly
? 'Content-Security-Policy-Report-Only'
: 'Content-Security-Policy';
$res->header($header, $this->toString());
}
public function __toString()
{
return $this->toString();
}
public function __invoke()
{
return $this->toString();
}
}