Changeset View
Changeset View
Standalone View
Standalone View
src/aphront/response/AphrontResponse.php
| Show First 20 Lines • Show All 212 Lines • ▼ Show 20 Lines | /* -( Metadata )----------------------------------------------------------- */ | ||||
| private function newContentSecurityPolicySource($uri) { | private function newContentSecurityPolicySource($uri) { | ||||
| // Some CSP URIs are ultimately user controlled (like notification server | // Some CSP URIs are ultimately user controlled (like notification server | ||||
| // URIs and CDN URIs) so attempt to stop an attacker from injecting an | // URIs and CDN URIs) so attempt to stop an attacker from injecting an | ||||
| // unsafe source (like 'unsafe-eval') into the CSP header. | // unsafe source (like 'unsafe-eval') into the CSP header. | ||||
| $uri = id(new PhutilURI($uri)) | $uri = id(new PhutilURI($uri)) | ||||
| ->setPath(null) | ->setPath(null) | ||||
| ->setFragment(null) | ->setFragment(null) | ||||
| ->setQueryParams(array()); | ->removeAllQueryParams(); | ||||
| $uri = (string)$uri; | $uri = (string)$uri; | ||||
| if (preg_match('/[ ;\']/', $uri)) { | if (preg_match('/[ ;\']/', $uri)) { | ||||
| throw new Exception( | throw new Exception( | ||||
| pht( | pht( | ||||
| 'Attempting to emit a response with an unsafe source ("%s") in the '. | 'Attempting to emit a response with an unsafe source ("%s") in the '. | ||||
| 'Content-Security-Policy header.', | 'Content-Security-Policy header.', | ||||
| $uri)); | $uri)); | ||||
| ▲ Show 20 Lines • Show All 205 Lines • Show Last 20 Lines | |||||