You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* `Introduction at HTML5Rocks <https://www.html5rocks.com/en/tutorials/security/content-security-policy/>`_
32
+
* `Article at SitePoint <https://www.sitepoint.com/improving-web-security-with-the-content-security-policy/>`_
33
+
34
+
**************
35
+
Turning CSP On
36
+
**************
37
+
38
+
.. important:: The :ref:`Debug Toolbar <the-debug-toolbar>` may use Kint, which
39
+
outputs inline scripts. Therefore, when CSP is turned on, CSP nonce is
40
+
automatically output for the Debug Toolbar. However, if you are not using
41
+
CSP nonce, this will change the CSP header to something you do not intend,
42
+
and it will behave differently than in production; if you want to verify CSP
43
+
behavior, turn off the Debug Toolbar.
44
+
45
+
By default, support for this is off. To enable support in your application, edit the ``CSPEnabled`` value in
46
+
**app/Config/App.php**:
47
+
48
+
.. literalinclude:: csp/011.php
49
+
50
+
When enabled, the response object will contain an instance of ``CodeIgniter\HTTP\ContentSecurityPolicy``. The
51
+
values set in **app/Config/ContentSecurityPolicy.php** are applied to that instance, and if no changes are
52
+
needed during runtime, then the correctly formatted header is sent and you're all done.
53
+
54
+
With CSP enabled, two header lines are added to the HTTP response: a **Content-Security-Policy** header, with
55
+
policies identifying content types or origins that are explicitly allowed for different
56
+
contexts, and a **Content-Security-Policy-Report-Only** header, which identifies content types
57
+
or origins that will be allowed but which will also be reported to the destination
58
+
of your choice.
59
+
60
+
Our implementation provides for a default treatment, changeable through the ``reportOnly()`` method.
61
+
When an additional entry is added to a CSP directive, as shown below, it will be added
62
+
to the CSP header appropriate for blocking or preventing. That can be overridden on a per
63
+
call basis, by providing an optional second parameter to the adding method call.
64
+
65
+
*********************
66
+
Runtime Configuration
67
+
*********************
68
+
69
+
If your application needs to make changes at run-time, you can access the instance at ``$this->response->getCSP()`` in your controllers. The
70
+
class holds a number of methods that map pretty clearly to the appropriate header value that you need to set.
71
+
Examples are shown below, with different combinations of parameters, though all accept either a directive
72
+
name or an array of them:
73
+
74
+
.. literalinclude:: csp/012.php
75
+
76
+
The first parameter to each of the "add" methods is an appropriate string value,
77
+
or an array of them.
78
+
79
+
The ``reportOnly()`` method allows you to specify the default reporting treatment
80
+
for subsequent sources, unless over-ridden. For instance, you could specify
81
+
that youtube.com was allowed, and then provide several allowed but reported sources:
82
+
83
+
.. literalinclude:: csp/013.php
84
+
85
+
**************
86
+
Inline Content
87
+
**************
88
+
89
+
It is possible to set a website to not protect even inline scripts and styles on its own pages, since this might have
90
+
been the result of user-generated content. To protect against this, CSP allows you to specify a nonce within the
91
+
``<style>`` and ``<script>`` tags, and to add those values to the response's header. This is a pain to handle in real
92
+
life, and is most secure when generated on the fly. To make this simple, you can include a ``{csp-style-nonce}`` or
93
+
``{csp-script-nonce}`` placeholder in the tag and it will be handled for you automatically::
94
+
95
+
// Original
96
+
<script {csp-script-nonce}>
97
+
console.log("Script won't run as it doesn't contain a nonce attribute");
98
+
</script>
99
+
100
+
// Becomes
101
+
<script nonce="Eskdikejidojdk978Ad8jf">
102
+
console.log("Script won't run as it doesn't contain a nonce attribute");
103
+
</script>
104
+
105
+
// OR
106
+
<style {csp-style-nonce}>
107
+
. . .
108
+
</style>
109
+
110
+
.. warning:: If an attacker injects a string like ``<script {csp-script-nonce}>``, it might become the real nonce attribute with this functionality. You can customize the placeholder string with the ``$scriptNonceTag`` and ``$styleNonceTag`` properties in **app/Config/ContentSecurityPolicy.php**.
111
+
112
+
If you don't like this auto replacement functionality, you can turn it off with setting ``$autoNonce = false`` in **app/Config/ContentSecurityPolicy.php**.
113
+
114
+
In this case, you can use the functions, :php:func:`csp_script_nonce()` and :php:func:`csp_style_nonce()`::
115
+
116
+
// Original
117
+
<script <?= csp_script_nonce() ?>>
118
+
console.log("Script won't run as it doesn't contain a nonce attribute");
119
+
</script>
120
+
121
+
// Becomes
122
+
<script nonce="Eskdikejidojdk978Ad8jf">
123
+
console.log("Script won't run as it doesn't contain a nonce attribute");
* `Introduction at HTML5Rocks <https://www.html5rocks.com/en/tutorials/security/content-security-policy/>`_
222
-
* `Article at SitePoint <https://www.sitepoint.com/improving-web-security-with-the-content-security-policy/>`_
223
-
224
-
Turning CSP On
225
-
--------------
226
-
227
-
.. important:: The :ref:`Debug Toolbar <the-debug-toolbar>` may use Kint, which
228
-
outputs inline scripts. Therefore, when CSP is turned on, CSP nonce is
229
-
automatically output for the Debug Toolbar. However, if you are not using
230
-
CSP nonce, this will change the CSP header to something you do not intend,
231
-
and it will behave differently than in production; if you want to verify CSP
232
-
behavior, turn off the Debug Toolbar.
233
-
234
-
By default, support for this is off. To enable support in your application, edit the ``CSPEnabled`` value in
235
-
**app/Config/App.php**:
236
-
237
-
.. literalinclude:: response/011.php
238
-
239
-
When enabled, the response object will contain an instance of ``CodeIgniter\HTTP\ContentSecurityPolicy``. The
240
-
values set in **app/Config/ContentSecurityPolicy.php** are applied to that instance, and if no changes are
241
-
needed during runtime, then the correctly formatted header is sent and you're all done.
242
-
243
-
With CSP enabled, two header lines are added to the HTTP response: a **Content-Security-Policy** header, with
244
-
policies identifying content types or origins that are explicitly allowed for different
245
-
contexts, and a **Content-Security-Policy-Report-Only** header, which identifies content types
246
-
or origins that will be allowed but which will also be reported to the destination
247
-
of your choice.
248
-
249
-
Our implementation provides for a default treatment, changeable through the ``reportOnly()`` method.
250
-
When an additional entry is added to a CSP directive, as shown below, it will be added
251
-
to the CSP header appropriate for blocking or preventing. That can be overridden on a per
252
-
call basis, by providing an optional second parameter to the adding method call.
253
-
254
-
Runtime Configuration
255
-
---------------------
256
-
257
-
If your application needs to make changes at run-time, you can access the instance at ``$this->response->getCSP()`` in your controllers. The
258
-
class holds a number of methods that map pretty clearly to the appropriate header value that you need to set.
259
-
Examples are shown below, with different combinations of parameters, though all accept either a directive
260
-
name or an array of them:
261
-
262
-
.. literalinclude:: response/012.php
263
-
264
-
The first parameter to each of the "add" methods is an appropriate string value,
265
-
or an array of them.
266
-
267
-
The ``reportOnly()`` method allows you to specify the default reporting treatment
268
-
for subsequent sources, unless over-ridden. For instance, you could specify
269
-
that youtube.com was allowed, and then provide several allowed but reported sources:
270
-
271
-
.. literalinclude:: response/013.php
272
-
273
-
Inline Content
274
-
--------------
275
-
276
-
It is possible to set a website to not protect even inline scripts and styles on its own pages, since this might have
277
-
been the result of user-generated content. To protect against this, CSP allows you to specify a nonce within the
278
-
``<style>`` and ``<script>`` tags, and to add those values to the response's header. This is a pain to handle in real
279
-
life, and is most secure when generated on the fly. To make this simple, you can include a ``{csp-style-nonce}`` or
280
-
``{csp-script-nonce}`` placeholder in the tag and it will be handled for you automatically::
281
-
282
-
// Original
283
-
<script {csp-script-nonce}>
284
-
console.log("Script won't run as it doesn't contain a nonce attribute");
285
-
</script>
286
-
287
-
// Becomes
288
-
<script nonce="Eskdikejidojdk978Ad8jf">
289
-
console.log("Script won't run as it doesn't contain a nonce attribute");
290
-
</script>
291
-
292
-
// OR
293
-
<style {csp-style-nonce}>
294
-
. . .
295
-
</style>
296
-
297
-
.. warning:: If an attacker injects a string like ``<script {csp-script-nonce}>``, it might become the real nonce attribute with this functionality. You can customize the placeholder string with the ``$scriptNonceTag`` and ``$styleNonceTag`` properties in **app/Config/ContentSecurityPolicy.php**.
298
-
299
-
If you don't like this auto replacement functionality, you can turn it off with setting ``$autoNonce = false`` in **app/Config/ContentSecurityPolicy.php**.
300
-
301
-
In this case, you can use the functions, :php:func:`csp_script_nonce()` and :php:func:`csp_style_nonce()`::
302
-
303
-
// Original
304
-
<script <?= csp_script_nonce() ?>>
305
-
console.log("Script won't run as it doesn't contain a nonce attribute");
306
-
</script>
307
-
308
-
// Becomes
309
-
<script nonce="Eskdikejidojdk978Ad8jf">
310
-
console.log("Script won't run as it doesn't contain a nonce attribute");
0 commit comments