Separated CSP header

Simbiat · Apr 24, 2021 · a67440b · a67440b
1 parent d03c6cc
commit a67440b
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -22,6 +22,7 @@ They are provided in single library and not separately, not only because of some
     + [lastModified](doc/Headers.md#lastmodified)
     + [performance](doc/Headers.md#performance)
     + [security](doc/Headers.md#security)
+    + [contentPolicy](doc/Headers.md#contentpolicy)
     + [features](doc/Headers.md#features)
     + [secFetch](doc/Headers.md#secFetch)
     + [clientReturn](doc/Headers.md#clientreturn)

diff --git a/doc/Headers.md b/doc/Headers.md
@@ -3,6 +3,7 @@
 - [lastModified](#lastmodified)
 - [performance](#performance)
 - [security](#security)
+- [contentPolicy](#contentpolicy)
 - [features](#features)
 - [secFetch](#secFetch)
 - [clientReturn](#clientreturn)
@@ -76,7 +77,7 @@ Sends some headers that may improve performance on client side.
 
 ## security
 ```php
-security(string $strat = 'strict', array $allowOrigins = [], array $exposeHeaders = [], array $allowHeaders = [], array $allowMethods = [], array $cspDirectives = [], bool $reportonly = false);
+security(string $strat = 'strict', array $allowOrigins = [], array $exposeHeaders = [], array $allowHeaders = [], array $allowMethods = []);
 ```
 Sends headers that can improve security of your page.
 
@@ -110,11 +111,19 @@ default:
 `$cspDirectives` (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) allows you to provide a list of directives and their settings (with validation) to control CSP headers. By default, essentially eveyrthing is either disabled or allowed only from `self`, which give you a solid base in terms of restricting access.  
 `$reportonly` allows you to control, whether you only report (`Content-Security-Policy-Report-Only`) CPS violations or report **and** block them. Be default it's set as `false` for security enforcement. Note, that if it's set to `true`, but you do not provide `report-to` directive **no** CSP header will be sent, reducing your security. For that reason, if you do want to report, I can suggest using https://rapidsec.com/ which is free. Also note, that while `report-uri` is **temporary** added until `report-to` is supported by all browsers, `report-uri` **will be discarded** if it's provided without `report-to` to encourage the use of a modern directive.
 
+## contentPolicy
+```php
+contentPolicy(array $cspDirectives = [], bool $reportonly = false);
+```
+Sends Content-Security-Policy header, that improves your page security. It's done separately from other security stuff, because unlike the rest of the headers this is usable only for HTML.  
+`$cspDirectives` (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) allows you to provide a list of directives and their settings (with validation) to control CSP headers. By default, essentially eveyrthing is either disabled or allowed only from `self`, which give you a solid base in terms of restricting access.  
+`$reportonly` allows you to control, whether you only report (`Content-Security-Policy-Report-Only`) CPS violations or report **and** block them. Be default it's set as `false` for security enforcement. Note, that if it's set to `true`, but you do not provide `report-to` directive **no** CSP header will be sent, reducing your security. For that reason, if you do want to report, I can suggest using https://rapidsec.com/ which is free. Also note, that while `report-uri` is **temporary** added until `report-to` is supported by all browsers, `report-uri` **will be discarded** if it's provided without `report-to` to encourage the use of a modern directive.
+
 ## features
 ```php
 features(array $features = [], bool $forcecheck = true);
 ```
-Allows to control different features through Feature-Policy header.  
+Allows to control different features through Feature-Policy header. It should only be used, when sending HTML.  
 `$features` expectes assotiative array, where each key is name of the policy in lower case and value - expected `allow list`. If an empty array is sent default values will be applied (most features are disabled).  
 `$forcecheck` is added for futureproofing, but is enabled by default. If set to `true` will check if the feature is "supported" (present in default array) and value complies with the standard. Setting it to `false` will allow you to utilize a feature or value not yet supported by the library.
 

diff --git a/src/Headers.php b/src/Headers.php
@@ -95,7 +95,7 @@ class Headers
     ];
 
     #Function sends headers, related to security
-    public function security(string $strat = 'strict', array $allowOrigins = [], array $exposeHeaders = [], array $allowHeaders = [], array $allowMethods = [], array $cspDirectives = [], bool $reportonly = false): self
+    public function security(string $strat = 'strict', array $allowOrigins = [], array $exposeHeaders = [], array $allowHeaders = [], array $allowMethods = []): self
     {
         #Default list of allowed methods, limited to only "simple" ones
         $defaultMethods = self::safeMethods;
@@ -177,6 +177,12 @@ public function security(string $strat = 'strict', array $allowOrigins = [], arr
                 header('Referrer-Policy: no-referrer');
                 break;
         }
+        return $this;
+    }
+
+    #Function to process CSP header
+    public function contentPolicy(array $cspDirectives = [], bool $reportonly = false): self
+    {
         #Set defaults directives for CSP
         $defaultDirectives = self::secureDirectives;
         #Apply custom directives