Changeset View
Changeset View
Standalone View
Standalone View
src/aphront/response/AphrontResponse.php
Show All 22 Lines | abstract class AphrontResponse extends Phobject { | ||||
final public function addContentSecurityPolicyURI($kind, $uri) { | final public function addContentSecurityPolicyURI($kind, $uri) { | ||||
if ($this->contentSecurityPolicyURIs === null) { | if ($this->contentSecurityPolicyURIs === null) { | ||||
$this->contentSecurityPolicyURIs = array( | $this->contentSecurityPolicyURIs = array( | ||||
'script-src' => array(), | 'script-src' => array(), | ||||
'connect-src' => array(), | 'connect-src' => array(), | ||||
'frame-src' => array(), | 'frame-src' => array(), | ||||
'form-action' => array(), | 'form-action' => array(), | ||||
'object-src' => array(), | |||||
); | ); | ||||
} | } | ||||
if (!isset($this->contentSecurityPolicyURIs[$kind])) { | if (!isset($this->contentSecurityPolicyURIs[$kind])) { | ||||
throw new Exception( | throw new Exception( | ||||
pht( | pht( | ||||
'Unknown Content-Security-Policy URI kind "%s".', | 'Unknown Content-Security-Policy URI kind "%s".', | ||||
$kind)); | $kind)); | ||||
▲ Show 20 Lines • Show All 119 Lines • ▼ Show 20 Lines | private function newContentSecurityPolicyHeader() { | ||||
// the user is convinced to click a element on the page, which really | // the user is convinced to click a element on the page, which really | ||||
// clicks a dangerous button hidden under a picture of a cat. | // clicks a dangerous button hidden under a picture of a cat. | ||||
if ($this->frameable) { | if ($this->frameable) { | ||||
$csp[] = "frame-ancestors 'self'"; | $csp[] = "frame-ancestors 'self'"; | ||||
} else { | } else { | ||||
$csp[] = "frame-ancestors 'none'"; | $csp[] = "frame-ancestors 'none'"; | ||||
} | } | ||||
// Block relics of the old world: Flash, Java applets, and so on. | // Block relics of the old world: Flash, Java applets, and so on. Note | ||||
$csp[] = "object-src 'none'"; | // that Chrome prevents the user from viewing PDF documents if they are | ||||
// served with a policy which excludes the domain they are served from. | |||||
$csp[] = $this->newContentSecurityPolicy('object-src', "'none'"); | |||||
// Don't allow forms to submit offsite. | // Don't allow forms to submit offsite. | ||||
// This can result in some trickiness with file downloads if applications | // This can result in some trickiness with file downloads if applications | ||||
// try to start downloads by submitting a dialog. Redirect to the file's | // try to start downloads by submitting a dialog. Redirect to the file's | ||||
// download URI instead of submitting a form to it. | // download URI instead of submitting a form to it. | ||||
$csp[] = $this->newContentSecurityPolicy('form-action', "'self'"); | $csp[] = $this->newContentSecurityPolicy('form-action', "'self'"); | ||||
▲ Show 20 Lines • Show All 248 Lines • Show Last 20 Lines |