Changeset View
Changeset View
Standalone View
Standalone View
src/aphront/response/AphrontResponse.php
| Show All 22 Lines | abstract class AphrontResponse extends Phobject { | ||||
| final public function addContentSecurityPolicyURI($kind, $uri) { | final public function addContentSecurityPolicyURI($kind, $uri) { | ||||
| if ($this->contentSecurityPolicyURIs === null) { | if ($this->contentSecurityPolicyURIs === null) { | ||||
| $this->contentSecurityPolicyURIs = array( | $this->contentSecurityPolicyURIs = array( | ||||
| 'script-src' => array(), | 'script-src' => array(), | ||||
| 'connect-src' => array(), | 'connect-src' => array(), | ||||
| 'frame-src' => array(), | 'frame-src' => array(), | ||||
| 'form-action' => array(), | 'form-action' => array(), | ||||
| 'object-src' => array(), | |||||
| ); | ); | ||||
| } | } | ||||
| if (!isset($this->contentSecurityPolicyURIs[$kind])) { | if (!isset($this->contentSecurityPolicyURIs[$kind])) { | ||||
| throw new Exception( | throw new Exception( | ||||
| pht( | pht( | ||||
| 'Unknown Content-Security-Policy URI kind "%s".', | 'Unknown Content-Security-Policy URI kind "%s".', | ||||
| $kind)); | $kind)); | ||||
| ▲ Show 20 Lines • Show All 119 Lines • ▼ Show 20 Lines | private function newContentSecurityPolicyHeader() { | ||||
| // the user is convinced to click a element on the page, which really | // the user is convinced to click a element on the page, which really | ||||
| // clicks a dangerous button hidden under a picture of a cat. | // clicks a dangerous button hidden under a picture of a cat. | ||||
| if ($this->frameable) { | if ($this->frameable) { | ||||
| $csp[] = "frame-ancestors 'self'"; | $csp[] = "frame-ancestors 'self'"; | ||||
| } else { | } else { | ||||
| $csp[] = "frame-ancestors 'none'"; | $csp[] = "frame-ancestors 'none'"; | ||||
| } | } | ||||
| // Block relics of the old world: Flash, Java applets, and so on. | // Block relics of the old world: Flash, Java applets, and so on. Note | ||||
| $csp[] = "object-src 'none'"; | // that Chrome prevents the user from viewing PDF documents if they are | ||||
| // served with a policy which excludes the domain they are served from. | |||||
| $csp[] = $this->newContentSecurityPolicy('object-src', "'none'"); | |||||
| // Don't allow forms to submit offsite. | // Don't allow forms to submit offsite. | ||||
| // This can result in some trickiness with file downloads if applications | // This can result in some trickiness with file downloads if applications | ||||
| // try to start downloads by submitting a dialog. Redirect to the file's | // try to start downloads by submitting a dialog. Redirect to the file's | ||||
| // download URI instead of submitting a form to it. | // download URI instead of submitting a form to it. | ||||
| $csp[] = $this->newContentSecurityPolicy('form-action', "'self'"); | $csp[] = $this->newContentSecurityPolicy('form-action', "'self'"); | ||||
| ▲ Show 20 Lines • Show All 248 Lines • Show Last 20 Lines | |||||