‪TYPO3CMS  ‪main
ContentSecurityPolicyHeaders.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types=1);
4 
5 /*
6  * This file is part of the TYPO3 CMS project.
7  *
8  * It is free software; you can redistribute it and/or modify it under
9  * the terms of the GNU General Public License, either version 2
10  * of the License, or any later version.
11  *
12  * For the full copyright and license information, please read the
13  * LICENSE.txt file that was distributed with this source code.
14  *
15  * The TYPO3 project - inspiring people to share!
16  */
17 
18 namespace ‪TYPO3\CMS\Backend\Middleware;
19 
20 use Psr\Http\Message\ResponseInterface;
21 use Psr\Http\Message\ServerRequestInterface;
22 use Psr\Http\Server\MiddlewareInterface;
23 use Psr\Http\Server\RequestHandlerInterface;
24 use Psr\Log\LoggerInterface;
25 use ‪TYPO3\CMS\Core\Cache\Frontend\FrontendInterface;
26 use ‪TYPO3\CMS\Core\Core\RequestId;
27 use ‪TYPO3\CMS\Core\Security\ContentSecurityPolicy\PolicyProvider;
28 use ‪TYPO3\CMS\Core\Security\ContentSecurityPolicy\Scope;
29 use ‪TYPO3\CMS\Core\Security\ContentSecurityPolicy\UriValue;
30 
36 final class ‪ContentSecurityPolicyHeaders implements MiddlewareInterface
37 {
38  public function ‪__construct(
39  private readonly ‪RequestId $requestId,
40  private readonly LoggerInterface $logger,
41  private readonly ‪FrontendInterface $cache,
42  private readonly ‪PolicyProvider $policyProvider,
43  ) {}
44 
45  public function ‪process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
46  {
47  $request = $request->withAttribute('nonce', $this->requestId->nonce);
48  $response = $handler->handle($request);
49 
50  $scope = ‪Scope::backend();
51  if ($response->hasHeader('Content-Security-Policy') || $response->hasHeader('Content-Security-Policy-Report-Only')) {
52  $this->logger->info('Content-Security-Policy not enforced due to existence of custom header', [
53  'scope' => (string)$scope,
54  'uri' => (string)$request->getUri(),
55  ]);
56  return $response;
57  }
58 
59  $policy = $this->policyProvider->provideFor($scope);
60  if ($policy->isEmpty()) {
61  return $response;
62  }
63  $reportingUri = $this->policyProvider->getReportingUrlFor($scope, $request);
64  if ($reportingUri !== null) {
65  $policy = $policy->report(‪UriValue::fromUri($reportingUri));
66  }
67  return $response->withHeader('Content-Security-Policy', $policy->compile($this->requestId->nonce, $this->cache));
68  }
69 }
‪TYPO3\CMS\Backend\Middleware
Definition: AdditionalResponseHeaders.php:18
‪TYPO3\CMS\Core\Security\ContentSecurityPolicy\Scope\backend
‪static backend()
Definition: Scope.php:41
‪TYPO3\CMS\Backend\Middleware\ContentSecurityPolicyHeaders\process
‪process(ServerRequestInterface $request, RequestHandlerInterface $handler)
Definition: ContentSecurityPolicyHeaders.php:45
‪TYPO3\CMS\Core\Core\RequestId
Definition: RequestId.php:26
‪TYPO3\CMS\Core\Security\ContentSecurityPolicy\Scope
Definition: Scope.php:30
‪TYPO3\CMS\Backend\Middleware\ContentSecurityPolicyHeaders\__construct
‪__construct(private readonly RequestId $requestId, private readonly LoggerInterface $logger, private readonly FrontendInterface $cache, private readonly PolicyProvider $policyProvider,)
Definition: ContentSecurityPolicyHeaders.php:38
‪TYPO3\CMS\Core\Cache\Frontend\FrontendInterface
Definition: FrontendInterface.php:22
‪TYPO3\CMS\Core\Security\ContentSecurityPolicy\UriValue
Definition: UriValue.php:29
‪TYPO3\CMS\Backend\Middleware\ContentSecurityPolicyHeaders
Definition: ContentSecurityPolicyHeaders.php:37
‪TYPO3\CMS\Core\Security\ContentSecurityPolicy\PolicyProvider
Definition: PolicyProvider.php:38
‪TYPO3\CMS\Core\Security\ContentSecurityPolicy\UriValue\fromUri
‪static fromUri(UriInterface $other)
Definition: UriValue.php:34