forked from codeigniter4/CodeIgniter4
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path012.php
More file actions
40 lines (33 loc) · 1.52 KB
/
012.php
File metadata and controls
40 lines (33 loc) · 1.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
// get the CSP instance
$csp = $this->response->getCSP();
// specify the default directive treatment
$csp->reportOnly(false);
// specify the origin to use if none provided for a directive
$csp->setDefaultSrc('cdn.example.com');
// specify the URL that "report-only" reports get sent to
$csp->setReportURI('http://example.com/csp/reports');
// specify that HTTP requests be upgraded to HTTPS
$csp->upgradeInsecureRequests(true);
// add types or origins to CSP directives
// assuming that the default treatment is to block rather than just report
$csp->addBaseURI('example.com', true); // report only
$csp->addChildSrc('https://youtube.com'); // blocked
$csp->addConnectSrc('https://*.facebook.com', false); // blocked
$csp->addFontSrc('fonts.example.com');
$csp->addFormAction('self');
$csp->addFrameAncestor('none', true); // report this one
$csp->addImageSrc('cdn.example.com');
$csp->addMediaSrc('cdn.example.com');
$csp->addManifestSrc('cdn.example.com');
$csp->addObjectSrc('cdn.example.com', false); // reject from here
$csp->addPluginType('application/pdf', false); // reject this media type
$csp->addScriptSrc('scripts.example.com', true); // allow but report requests from here
$csp->addStyleSrc('css.example.com');
$csp->addSandbox(['allow-forms', 'allow-scripts']);
// the following CSP3 directives are available in v4.7.0 and later
$csp->addScriptSrcAttr('trusted.com');
$csp->addScriptSrcElem('trusted.com');
$csp->addStyleSrcAttr('trusted.com');
$csp->addStyleSrcElem('trusted.com');
$csp->addWorkerSrc('workers.example.com');