通过 
搜索
搜索aubes / csp-bundle
v1.0.0
2023-04-20 10:55 UTC
Requires
- php: >=7.4
- symfony/framework-bundle: ^5.4 |^6.0
- symfony/http-foundation: ^5.4 |^6.0
- symfony/http-kernel: ^5.4 |^6.0
- symfony/polyfill-php80: ^1.0
- symfony/twig-bundle: ^5.4 |^6.0
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3.1
- phpmd/phpmd: ^2.10
- phpspec/prophecy-phpunit: >=v2.0.1
- phpunit/phpunit: >=9.6
- vimeo/psalm: ^5.9
README
此 Symfony 扩展提供配置 内容安全策略 头部的辅助工具。
它与以下版本兼容
- PHP 7.4
- Symfony 5.4
安装
composer require aubes/csp-bundle
配置
配置如下所示
# config/packages/csp.yaml csp: # Default name is required when multiple group are defined # When only one group is defined, it becomes the default group default_group: ~ # Add default group CSP headers in each response auto_default: false groups: # Name of the policy group default_example: # Use 'Content-Security-Policy-Report-Only' header instead of 'Content-Security-Policy' report_only: false policies: # Use directive name, reference: https://mdn.org.cn/en-US/docs/Web/HTTP/Headers/Content-Security-Policy base-uri: # Internal source are supported, and simple quote are automatically added - self # Constant can be used for internal source - !php/const Aubes\CSPBundle\CSPSource::SELF # Source reference: https://mdn.org.cn/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources - 'https://example.com' # Use Php constant instead of directive name !php/const Aubes\CSPBundle\CSPDirective::SCRIPT_SRC: - # Source another_group: # [...]
用法
添加 CSP 头部
自动默认
如果启用 auto_default 配置,则默认组将被注入到每个响应中。
禁用特定路由上的 CSP
# config/routes.yaml example_routes: # [...] defaults: _csp_disabled: true
手动
# config/routes.yaml example_routes: # [...] defaults: _csp_groups: [] # Group list
动态添加指令
namespace App\Controller; use Aubes\CSPBundle\CSP; use Aubes\CSPBundle\CSPDirective; use Aubes\CSPBundle\CSPSource;use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; class ExampleController extends AbstractController { public function __invoke(CSP $csp) { $csp->addDirective(CSPDirective::SCRIPT_SRC, CSPSource::UNSAFE_INLINE/*, 'default_example'*/); return $this->render('csp.html.twig'); } }
源 nonce
Twig 函数可用于在模板中添加内联可注入的元素 nonce。
csp_nonce
参数:
- directive:csp 指令的名称 # 必需
- groupName:组名称,如果未定义则使用默认组
- nonce:base 64 nonce id
<!-- templates/example.html.twig --> <!-- Add a generated nonce on an inline element in the default group --> <script {{ csp_nonce('script-src') }}> // [...] </script> <!-- Add a generated nonce on an inline element in a specific group --> <script {{ csp_nonce('script-src', 'default_example') }}> // [...] </script> <!-- Add a base64 custom nonce on an inline element in a specific group --> <script {{ csp_nonce('script-src', 'default_example', 'MTIzNDU2') }}> // [...] </script>
csp_script_nonce
参数:
- groupName:组名称,如果未定义则使用默认组
- nonce:base 64 nonce id
csp_style_nonce
参数:
- groupName:组名称,如果未定义则使用默认组
- nonce:base 64 nonce id
报告
配置
在配置中启用 report-to
# config/packages/csp.yaml csp: groups: default_example: reporting: group_name: ~ # Override the group name # Add report-uri backward compatibility backward_compatibility: false max_age: 3600 endpoints: - # Symfony route
内置控制器
内置控制器可以记录报告(路径:/csp-report/{group},名称:csp_report)
要使用内置控制器记录报告
# config/routes.yaml csp: resource: '@CSPBundle/Resources/config/routing.yaml'
在报告中添加路由
# config/packages/csp.yaml csp: groups: default_example: reporting: # [...] endpoints: - 'csp_route'
内置控制器记录器
要配置此控制器的记录器
# config/packages/csp.yaml csp: report_logger: logger_id: ~ # Logger Service Id level: ~ # Log level, default is WARNING