mvccore / ext-tool-csp
MvcCore - Extension - Tool - Csp - utility to easilly complete `Content-Security-Policy` HTTP header.
v5.0.5
2022-10-28 09:08 UTC
Requires
- php: >=5.4.0
- mvccore/mvccore: ^5.1.39
Requires (Dev)
- php: >=5.4.0
- nette/tester: <=2.4
- tomflidr/tracy: <=2.5.13
README
Installation
composer require mvccore/ext-tool-csp
Features
Extension to easilly complete Content-Security-Policy
HTTP header.
Read more info here:
Usage
<?php include_once('vendor/autoload.php'); use \MvcCore\Ext\Tools\Csp; $csp = Csp::GetInstance() ->Disallow( Csp::FETCH_DEFAULT_SRC | Csp::FETCH_OBJECT_SRC ) ->AllowSelf( Csp::FETCH_SCRIPT_SRC | Csp::FETCH_STYLE_SRC | Csp::FETCH_IMG_SRC | Csp::FETCH_FONT_SRC | Csp::FETCH_MEDIA_SRC | Csp::FETCH_CONNECT_SRC | Csp::FETCH_FRAME_SRC ) ->AllowHosts( Csp::FETCH_SCRIPT_SRC | Csp::FETCH_CONNECT_SRC, [ 'https://some.tracking-counter-1.com/', ] ) ->AllowHosts( Csp::FETCH_SCRIPT_SRC, [ 'https://cdnjs.com/', 'https://code.jquery.com/', ] ) ->AllowHosts( Csp::FETCH_IMG_SRC, [ 'data:', ] ) ->AllowNonce(Csp::FETCH_SCRIPT_SRC) ->AllowGoogleMaps(); header($csp->GetHeader()); ?><!DOCTYPE HTML> <html lang="en-US"> <head> <meta charset="UTF-8"> <title>CSP</title> </head> <body> <script nonce="<?=$csp->GetNonce()?>" type="text/javascript"> document.write("Safe working javascript code."); </script> <hr /> <script type="text/javascript"> document.write("Dangerous not working javascript code."); </script> </body> </html>