Bugzilla::CGI::ContentSecurityPolicy - Object-oriented interface to generating CSP directives and adding them to headers.
use Bugzilla::CGI::ContentSecurityPolicy;
my $csp = Bugzilla::CGI::ContentSecurityPolicy->new(
default_src => [ 'self' ],
style_src => [ 'self', 'unsafe-inline' ],
script_src => [ 'self', 'nonce' ],
child_src => ['none'],
report_uri => '/csp-report.cgi',
referrer => 'origin-when-cross-origin',
);
$csp->headers_names # returns a list of header names and depends on the value of $self->report_only
$csp->value # returns the string representation of the policy.
$csp->add_cgi_headers(\%hashref); # will insert entries compatible with CGI.pm's $cgi->headers() method into the provided hashref.
This class provides an object interface to constructing Content Security Policies.
Rather than use this module, scripts should call $C->content_security_policy() which constructs the CSP headers and registers them for the current request.
See Bugzilla::CGI for details.
Generally all CSP directives are available as attributes to the constructor, with dashes replaced by underscores. All directives that can be lists must be passed as array references, and the quoting rules for urls and keywords like 'self' or 'none' is handled automatically.
If this is true, then the the -Report-Only version of the headers will be produced, so nothing will be blocked.
If this is true, no CSP headers will be used at all.
The base-uri directive defines the URIs that a user agent may use as the document base URL. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the base element.
The child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>. This directive is preferred over the frame-src directive, which is deprecated. For workers, non-compliant requests are treated as fatal network errors by the user agent.
The connect-src directive defines valid sources for fetch, XMLHttpRequest, WebSocket, and EventSource connections.
The default-src directive defines the security policy for types of content which are not expressly called out by more specific directives. This directive covers the following directives:
The font-src directive specifies valid sources for fonts loaded using @font-face.
The img-src directive specifies valid sources of images and favicons.
The manifest-src directive specifies which manifest can be applied to the resource.
The media-src directive specifies valid sources for loading media using the <audio> and <video> elements.
The object-src directive specifies valid sources for the <object>, <embed>, and <applet> elements.
The referrer directive specifies information in the referer (sic) header for links away from a page. Valid values are no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, and unsafe-url.
The report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.
The sandbox directive applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
The script-src directive specifies valid sources for JavaScript. When either the script-src or the default-src directive is included, inline script and eval() are disabled unless you specify 'unsafe-inline' and 'unsafe-eval', respectively. In Chrome 49 and later, 'script-src http' will match both HTTP and HTTPS.
The style-src directive specifies valid sources for stylesheets. This includes both externally-loaded stylesheets and inline use of the style element and HTML style attributes. Stylesheets from sources that aren't included in the source list are not requested or loaded. When either the style-src or the default-src directive is included, inline use of the style element and HTML style attributes are disabled unless you specify 'unsafe-inline'.
The upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URL's (those served over HTTP) as though they have been replaced with secure URL's (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URL's that need to be rewritten.
This returns a list of header names. This will typically be Content-Security-Policy, X-Content-Security-Policy, and X-WebKit-CSP.
This returns the value or right-of-colon part of the header.
This adds header_value() to $headers in a format that is compatible with CGI's headers() method.
This is unique value that can used if the 'nonce' is used as a source for style_src or script_src.