ComponentController
extends SystemComponentController
in package
Main controller for Security
The security class checks for possible attacks to the server and supports a few functions to make everything more secure.
Tags
Table of Contents
Constants
- API_COMMAND_REPORT_CSP = 'ReportCsp'
- API command name for reporting CSP violations
- CLX_MEDIA_CDN = 'https://media.cloudrexx.com/'
- Host of CLX resources
Properties
- $criticalServerVars : array<string|int, mixed>
- $_SERVER variable indexes used by Cloudrexx
- $config : array<string|int, mixed>
- Config loaded from YAML
- $cspSourceIds : array<string|int, mixed>
- Stores unique identifiers for each CSP source tag that has been processed.
- $cspSourceIndex : int
- Used as internal index for each trusted CSP source
- $cspSources : array<string|int, mixed>
- An array that stores CSP compliant sources extracted from content {@see static::fetchTrustedCspSources()} based on the defined CSP tags {@see static::$cspSourceTags} or manualy set through {@see static::registerTrustedCspSource()}.
- $cspSourceTags : array<string|int, mixed>
- Defines mappings of Content Security Policy (CSP) directives to specific HTML tags and their children.
- $cx : Cx
- Main class instance
- $developerDocumentationUrl : string
- URL pointing to the developer documentation for this component
- $enduserDocumentationUrl : string
- URL pointing to the end-user documentation for this component
- $isCspSet : bool
- Whether the (header for the) Content Security Policy has been set for the current request.
- $systemComponent : SystemComponent
- Decorated SystemComponent
- $templateDocumentationUrl : string
- URL pointing to the template definitions for this component
- $useCspImgSrcData : bool
- Indicates whether data URLs should be allowed for image sources in CSP.
- $useCspScriptSrcUnsafeInline : bool
- Indicates whether 'unsafe-inline' should be allowed for script sources in CSP.
- $useCspWorkerSrcSelf : bool
- Indicates whether 'self' should be allowed for worker sources in CSP.
Methods
- __call() : mixed
- Decoration: all methods that are not specified in this or child classes call the corresponding method of the decorated SystemComponent
- __construct() : mixed
- Initializes a controller
- adjustResponse() : mixed
- Do something with a Response object You may do page alterations here (like changing the metatitle) You may do response alterations here (like set headers) PLEASE MAKE SURE THIS METHOD IS MOCKABLE. IT MAY ONLY INTERACT WITH resolve() HOOK.
- delayResponseUntil() : void
- Artificially delay response
- detectIntrusion() : array<string|int, mixed>
- Detect intrusion
- enableCspImgSrcData() : void
- Enables the use of data URLs for image sources in the CSP settings.
- enableCspScriptSrcUnsafeInline() : void
- Enables the use of 'unsafe-inline' for script sources in the CSP settings.
- enableCspWorkerSrcSelf() : void
- Enables the use of 'self' for worker sources in the CSP settings.
- executeCommand() : void
- Execute one of the commands listed in getCommandsForCommandMode()
- getCommandDescription() : string
- Returns the description for a command provided by this component
- getCommandsForCommandMode() : array<string|int, mixed>
- Returns a list of command mode commands provided by this component
- getComponent() : SystemComponentController
- Get component controller object
- getConfigValue() : string
- Returns a value from the config tree
- getConfigValues() : array<string|int, mixed>
- Returns part of the config tree
- getController() : Controller
- Returns a controller instance if one already exists
- getControllerClasses() : array<string|int, mixed>
- Returns all Controller class names for this component (except this)
- getControllers() : array<string|int, mixed>
- Returns a list of controllers
- getControllersAccessableByJson() : array<string|int, mixed>
- Returns a list of JsonAdapter class names
- getDeveloperDocumentationUrl() : string
- Returns the URL pointing to the developer documentation of this component.
- getEnduserDocumentationUrl() : string
- Returns the URL pointing to the end-user documentation for this component.
- getRequestInfo() : string
- Get request info
- getSystemComponent() : SystemComponent
- Returns the SystemComponent this Controller decorates
- getSystemComponentController() : SystemComponentController
- Returns the main controller
- getTemplateDocumentationUrl() : string
- Returns the URL pointing to the template documentation for this component.
- hasAccessToExecuteCommand() : bool
- Check whether the command has access to execute or not.
- isCspOnFetchDirectivesEnabled() : bool
- Check if Content Security Policy for script-src shall be set
- load() : mixed
- Load your component. It is needed for this request.
- postComponentLoad() : mixed
- Do something after all active components are loaded USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE.
- postContentLoad() : mixed
- Do something after content is loaded from DB
- postContentParse() : mixed
- Do something after a module is loaded
- postFinalize() : mixed
- Do something after main template got parsed
- postInit() : mixed
- Do something after system initialization
- postResolve() : mixed
- Do something after resolving is done
- preComponentLoad() : mixed
- Do something before component load * USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE.
- preContentLoad() : mixed
- Do something before content is loaded from DB
- preContentParse() : mixed
- Do something before a module is loaded
- preFinalize() : mixed
- Do something before main template gets parsed
- preInit() : mixed
- Do something before system initialization
- preResolve() : mixed
- Do something before resolving is done
- registerController() : null
- Registers a controller instance
- registerEventListeners() : mixed
- Register your event listeners here
- registerEvents() : mixed
- Register your events here
- registerTrustedCspSource() : void
- Add $source to the Content-Security-Policy $fetchDirective.
- registerTrustedCspSources() : bool
- Check if Content Security Policy for script-src shall be set
- resolve() : mixed
- Called for additional, component specific resolving
- setSystemComponent() : SystemComponent
- Sets the SystemComponent this Controller decorates
- adjustFullyQualifiedClassName() : string
- This makes sure a FQCN does not contain double backslashes
- blockMimeSniffing() : mixed
- Blocks MIME sniffing unless it has been disabled.
- configureCspBaseUri() : void
- Configure base-uri directive of the Content-Security-Policy header.
- configureCspChildSrc() : void
- Configure child-src directive of the Content-Security-Policy header.
- configureCspConnectSrc() : void
- Configure connect-src directive of the Content-Security-Policy header.
- configureCspDefaultSrc() : void
- Configure default-src directive of the Content-Security-Policy header.
- configureCspFontSrc() : void
- Configure font-src directive of the Content-Security-Policy header.
- configureCspFrameAncestors() : mixed
- Configure frame-ancestors directive of the Content-Security-Policy header.
- configureCspFrameSrc() : void
- Configure frame-src directive of the Content-Security-Policy header.
- configureCspImgSrc() : void
- Configure img-src directive of the Content-Security-Policy header.
- configureCspManifestSrc() : void
- Configure manifec-src directive of the Content-Security-Policy header.
- configureCspMediaSrc() : void
- Configure media-src directive of the Content-Security-Policy header.
- configureCspObjectSrc() : void
- Configure object-src directive of the Content-Security-Policy header.
- configureCspScriptSrc() : void
- Configure script-src directive of the Content-Security-Policy header.
- configureCspStyleSrc() : void
- Configure style-src directive of the Content-Security-Policy header.
- configureCspWorkerSrc() : void
- Configure worker-src directive of the Content-Security-Policy header.
- fetchCspViolations() : array<string|int, mixed>
- Fetch CSP violation reports
- fetchTrustedCspSources() : void
- Fetches trusted CSP sources from the HTML content by identifying previously marked tags with unique IDs and extracting their relevant 'src' attributes to form CSP-compliant URLs.
- fetchViolationFromLegacyCspReport() : array<string|int, mixed>
- Fetch legacy CSP violation report
- getControllerClassName() : string
- This finds the correct FQCN for a controller name
- getCspSourcesFromTheme() : array<string|int, mixed>
- Retrieves CSP (Content Security Policy) source definitions for a specific directive from the theme's configuration.
- getSupportedProtocols() : string
- Returns the value of the setting option forceProtocolFrontend if we're in frontend or otherwise the value of option forceProtocolBackend.
- loadConfigFile() : array<string|int, mixed>
- Loads a config YAML file
- loadData() : void
- Load data from Component.yml
- markTrustedCspSources() : void
- Marks specific HTML tags as trusted for CSP based on the predefined {@see static::$cspSourceTags}.
- ReportCsp() : void
- Report CSP violation
- scanRequest() : mixed
- Scan input arguments for potential attacks
- setContentSecurityPolicy() : mixed
- Configure HTTP header Content-Security-Policy
- setCspReporting() : void
- Enable Content Security Policy violation reporting to the client
- setHSTS() : mixed
- Configure HTTP header Strict-Transport-Security
- setUpgradeInsecureRequests() : void
- Set Content-Security-Policy upgrade-insecure-requests if HTTPS is enforced.
- useCspReportOnly() : bool
- Whether to set Content-Security-Policy-Report-Only in backend or not.
Constants
API_COMMAND_REPORT_CSP
API command name for reporting CSP violations
protected
mixed
API_COMMAND_REPORT_CSP
= 'ReportCsp'
CLX_MEDIA_CDN
Host of CLX resources
protected
mixed
CLX_MEDIA_CDN
= 'https://media.cloudrexx.com/'
Properties
$criticalServerVars
$_SERVER variable indexes used by Cloudrexx
public
array<string|int, mixed>
$criticalServerVars
= array('DOCUMENT_ROOT', 'HTTPS', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_CLIENT_IP', 'HTTP_HOST', 'HTTP_REFERER', 'HTTP_USER_AGENT', 'HTTP_VIA', 'HTTP_X_FORWARDED_FOR', 'PHP_SELF', 'QUERY_STRING', 'REMOTE_ADDR', 'REQUEST_URI', 'SCRIPT_FILENAME', 'SCRIPT_NAME', 'SCRIPT_URI', 'SERVER_ADDR', 'SERVER_NAME', 'SERVER_PORT', 'SERVER_PROTOCOL', 'SERVER_SOFTWARE', 'argv')
$config
Config loaded from YAML
protected
array<string|int, mixed>
$config
= array()
Tree of configs
$cspSourceIds
Stores unique identifiers for each CSP source tag that has been processed.
protected
array<string|int, mixed>
$cspSourceIds
= []
These identifiers are used to verify and validate the trusted sources.
$cspSourceIndex
Used as internal index for each trusted CSP source
protected
static int
$cspSourceIndex
= 0
$cspSources
An array that stores CSP compliant sources extracted from content {@see static::fetchTrustedCspSources()} based on the defined CSP tags {@see static::$cspSourceTags} or manualy set through {@see static::registerTrustedCspSource()}.
protected
array<string|int, mixed>
$cspSources
= []
Each source is of the form
$cspSourceTags
Defines mappings of Content Security Policy (CSP) directives to specific HTML tags and their children.
protected
array<string|int, mixed>
$cspSourceTags
= ['frame-src' => ['frame', 'iframe'], 'media-src' => ['audio' => ['source', 'track'], 'video' => ['source', 'track']]]
This associative array is structured to facilitate the dynamic application of CSP rules based on HTML content structure.
Each key at the first level represents a CSP directive, such as 'frame-src' or 'media-src'. The values associated with these keys are arrays that detail the HTML elements (tags) to which the CSP directive applies.
At the second level, the array either lists HTML tag names directly under the directive (e.g., 'frame', 'iframe' for 'frame-src') or specifies parent tags that have further nested child tags defined in a third level. This nested structure allows for specifying CSP rules more granularly for complex HTML elements like media elements, which can contain child tags.
For instance, under 'media-src', the parent tags ('audio', 'video') each have their own arrays listing child tags ('source', 'track') that should also adhere to the CSP rules defined for the parent.
Structure: [ 'directive-name' => [ 'tag-name', // Direct mapping for simple tags 'parent-tag' => ['child-tag', ...] // Parent-child mapping for complex tags ], ... ]
This approach ensures that the CSP rules are applied precisely where needed, enhancing security while maintaining flexibility.
$cx
Main class instance
protected
Cx
$cx
= null
$developerDocumentationUrl
URL pointing to the developer documentation for this component
protected
string
$developerDocumentationUrl
= ''
Developer documentation URL
$enduserDocumentationUrl
URL pointing to the end-user documentation for this component
protected
string
$enduserDocumentationUrl
= ''
End-user documentation URL
$isCspSet
Whether the (header for the) Content Security Policy has been set for the current request.
protected
bool
$isCspSet
= false
$systemComponent
Decorated SystemComponent
protected
SystemComponent
$systemComponent
$templateDocumentationUrl
URL pointing to the template definitions for this component
protected
string
$templateDocumentationUrl
= ''
Template documentation URL
$useCspImgSrcData
Indicates whether data URLs should be allowed for image sources in CSP.
protected
bool
$useCspImgSrcData
= false
Enabling this allows images to be sourced directly from data URLs.
$useCspScriptSrcUnsafeInline
Indicates whether 'unsafe-inline' should be allowed for script sources in CSP.
protected
bool
$useCspScriptSrcUnsafeInline
= false
This can be a security risk and should be enabled only when absolutely necessary.
$useCspWorkerSrcSelf
Indicates whether 'self' should be allowed for worker sources in CSP.
protected
bool
$useCspWorkerSrcSelf
= false
By default, no worker sources are allowed.
Methods
__call()
Decoration: all methods that are not specified in this or child classes call the corresponding method of the decorated SystemComponent
public
__call(string $methodName, array<string|int, mixed> $arguments) : mixed
Parameters
- $methodName : string
-
Name of method to call
- $arguments : array<string|int, mixed>
-
List of arguments for the method to call
Attributes
- #[ReturnTypeWillChange]
Return values
mixed —Return value of the method to call
__construct()
Initializes a controller
public
__construct(SystemComponent $systemComponent, Cx $cx) : mixed
Parameters
- $systemComponent : SystemComponent
-
SystemComponent to decorate
- $cx : Cx
-
The Cloudrexx main class
adjustResponse()
Do something with a Response object You may do page alterations here (like changing the metatitle) You may do response alterations here (like set headers) PLEASE MAKE SURE THIS METHOD IS MOCKABLE. IT MAY ONLY INTERACT WITH resolve() HOOK.
public
adjustResponse(Response $response) : mixed
Parameters
- $response : Response
-
Response object to adjust
Tags
delayResponseUntil()
Artificially delay response
public
delayResponseUntil(int $microseconds) : void
Calling this method will halt the script execution until the elapsed runtime has reached $microseconds. Use this method to protect a sensitive operation against a timing attack.
Parameters
- $microseconds : int
-
Overall runtime in microseconds that must be reached until script execution is continued.
detectIntrusion()
Detect intrusion
public
detectIntrusion(mixed $array) : array<string|int, mixed>
Looks through an array and tries to detect possible hacking attempts.
Parameters
- $array : mixed
-
The array (or string) to check for security.
Return values
array<string|int, mixed> —The array with the trusted values, or the string
enableCspImgSrcData()
Enables the use of data URLs for image sources in the CSP settings.
public
enableCspImgSrcData() : void
This setting permits images to be loaded directly from data URLs, which can be useful for embedded images but might increase exposure to data injection attacks.
enableCspScriptSrcUnsafeInline()
Enables the use of 'unsafe-inline' for script sources in the CSP settings.
public
enableCspScriptSrcUnsafeInline() : void
This setting allows inline scripts to be executed, which can be necessary for certain legacy applications or specific inline script usage but reduces security.
enableCspWorkerSrcSelf()
Enables the use of 'self' for worker sources in the CSP settings.
public
enableCspWorkerSrcSelf() : void
This restricts the sources from which web workers can be loaded to the same origin as the document, enhancing security by preventing the execution of workers from untrusted sources.
executeCommand()
Execute one of the commands listed in getCommandsForCommandMode()
public
executeCommand(mixed $command, mixed $arguments[, mixed $dataArguments = array() ]) : void
Parameters
- $command : mixed
-
Name of command to execute
- $arguments : mixed
-
List of arguments for the command
- $dataArguments : mixed = array()
-
(optional) List of data arguments for the command
Tags
getCommandDescription()
Returns the description for a command provided by this component
public
getCommandDescription(mixed $command[, mixed $short = false ]) : string
Parameters
- $command : mixed
-
The name of the command to fetch the description from
- $short : mixed = false
-
Wheter to return short or long description
Tags
Return values
string —Command description
getCommandsForCommandMode()
Returns a list of command mode commands provided by this component
public
getCommandsForCommandMode() : array<string|int, mixed>
Tags
Return values
array<string|int, mixed> —List of command names
getComponent()
Get component controller object
public
getComponent(string $name) : SystemComponentController
Parameters
- $name : string
-
component name
Return values
SystemComponentController —The requested component controller or null if no such component exists
getConfigValue()
Returns a value from the config tree
public
getConfigValue(string $key) : string
Parameters
- $key : string
-
Slash-separated path to requested branch
Tags
Return values
string —Requested value as string
getConfigValues()
Returns part of the config tree
public
getConfigValues(string $key) : array<string|int, mixed>
Parameters
- $key : string
-
Slash-separated path to requested branch
Tags
Return values
array<string|int, mixed> —Requested values
getController()
Returns a controller instance if one already exists
public
getController(mixed $controllerClass) : Controller
Parameters
- $controllerClass : mixed
-
Short or FQCN controller name
Tags
Return values
Controller —Controller instance
getControllerClasses()
Returns all Controller class names for this component (except this)
public
getControllerClasses() : array<string|int, mixed>
Be sure to return all your controller classes if you add your own
Return values
array<string|int, mixed> —List of Controller class names (without namespace)
getControllers()
Returns a list of controllers
public
getControllers([bool $loadedOnly = true ]) : array<string|int, mixed>
Parameters
- $loadedOnly : bool = true
-
(optional) If false, controller that did not register are instanciated, default true
Return values
array<string|int, mixed> —List of Controller instances
getControllersAccessableByJson()
Returns a list of JsonAdapter class names
public
getControllersAccessableByJson() : array<string|int, mixed>
The array values might be a class name without namespace. In that case the namespace \Cx{component_type}{component_name}\Controller is used. If the array value starts with a backslash, no namespace is added.
Avoid calculation of anything, just return an array!
Return values
array<string|int, mixed> —List of ComponentController classes
getDeveloperDocumentationUrl()
Returns the URL pointing to the developer documentation of this component.
public
getDeveloperDocumentationUrl() : string
Return values
string —URL pointing to the developer documentation
getEnduserDocumentationUrl()
Returns the URL pointing to the end-user documentation for this component.
public
getEnduserDocumentationUrl() : string
Return values
string —URL pointing to the end-user documentation or empty string
getRequestInfo()
Get request info
public
getRequestInfo(mixed $reqarray, mixed $arrname) : string
Lists the content for an array for sending it with an e-mail
Parameters
- $reqarray : mixed
-
The array to send the contents from.
- $arrname : mixed
-
The name in the array.
Return values
string —The value ready to send
getSystemComponent()
Returns the SystemComponent this Controller decorates
public
getSystemComponent() : SystemComponent
Return values
SystemComponentgetSystemComponentController()
Returns the main controller
public
getSystemComponentController() : SystemComponentController
Return values
SystemComponentController —Main controller for this system component
getTemplateDocumentationUrl()
Returns the URL pointing to the template documentation for this component.
public
getTemplateDocumentationUrl() : string
Return values
string —URL pointing to the template documentation or empty string
hasAccessToExecuteCommand()
Check whether the command has access to execute or not.
public
hasAccessToExecuteCommand(string $command, array<string|int, mixed> $arguments) : bool
Parameters
- $command : string
-
name of the command to execute
- $arguments : array<string|int, mixed>
-
list of arguments for the command
Return values
boolisCspOnFetchDirectivesEnabled()
Check if Content Security Policy for script-src shall be set
public
isCspOnFetchDirectivesEnabled() : bool
Return values
bool —True if Content Security Policy for script-src is enabled and shall be set in response.
load()
Load your component. It is needed for this request.
public
load(Page $page) : mixed
This loads your FrontendController or BackendController depending on the mode Cx runs in. For modes other than frontend and backend, nothing is done. If you you'd like to name your Controllers differently, or have another use case, overwrite this.
Parameters
- $page : Page
-
The resolved page
postComponentLoad()
Do something after all active components are loaded USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE.
public
postComponentLoad() : mixed
postContentLoad()
Do something after content is loaded from DB
public
postContentLoad(Page $page) : mixed
USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE
Parameters
- $page : Page
-
The resolved page
postContentParse()
Do something after a module is loaded
public
postContentParse(Page $page) : mixed
This method is called only if any module gets loaded for content parsing USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE
Parameters
- $page : Page
-
The resolved page
postFinalize()
Do something after main template got parsed
public
postFinalize(mixed &$endcode) : mixed
Parameters
- $endcode : mixed
-
The processed data to be sent to the client as response
Tags
postInit()
Do something after system initialization
public
postInit(Cx $cx) : mixed
USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE. This event must be registered in the postInit-Hook definition file config/postInitHooks.yml.
Parameters
- $cx : Cx
-
The instance of \Cx\Core\Core\Controller\Cx
postResolve()
Do something after resolving is done
public
postResolve(Page $page) : mixed
USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE
Parameters
- $page : Page
-
The resolved page
preComponentLoad()
Do something before component load * USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE.
public
preComponentLoad() : mixed
This event must be registered in the preComponentLoad-Hook definition file config/preComponentLoadHooks.yml.
preContentLoad()
Do something before content is loaded from DB
public
preContentLoad(Page $page) : mixed
USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE
Parameters
- $page : Page
-
The resolved page
preContentParse()
Do something before a module is loaded
public
preContentParse(Page $page) : mixed
This method is called only if any module gets loaded for content parsing USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE
Parameters
- $page : Page
-
The resolved page
preFinalize()
Do something before main template gets parsed
public
preFinalize(Sigma $template) : mixed
USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE
Parameters
- $template : Sigma
-
The main template
preInit()
Do something before system initialization
public
preInit(Cx $cx) : mixed
USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE. This event must be registered in the preInit-Hook definition file config/preInitHooks.yml.
Parameters
- $cx : Cx
-
The instance of \Cx\Core\Core\Controller\Cx
preResolve()
Do something before resolving is done
public
preResolve(Url $request) : mixed
Parameters
- $request : Url
-
The URL object for this request
registerController()
Registers a controller instance
public
registerController(Controller $controller) : null
Parameters
- $controller : Controller
-
Controller to register
Return values
nullregisterEventListeners()
Register your event listeners here
public
registerEventListeners() : mixed
USE CAREFULLY, DO NOT DO ANYTHING COSTLY HERE! CALCULATE YOUR STUFF AS LATE AS POSSIBLE. Keep in mind, that you can also register your events later. Do not do anything else here than initializing your event listeners and list statements like $this->cx->getEvents()->addEventListener($eventName, $listener);
registerEvents()
Register your events here
public
registerEvents() : mixed
Do not do anything else here than list statements like $this->cx->getEvents()->addEvent($eventName);
registerTrustedCspSource()
Add $source to the Content-Security-Policy $fetchDirective.
public
registerTrustedCspSource(string $fetchDirective, string $source) : void
Set sources are stored in static::$cspSources.
Parameters
- $fetchDirective : string
-
The fetch directive to add $source to. Can be one of:
- connect-src
- font-src
- frame-src
- img-src
- manifest-src
- media-src
- style-src
- worker-src
- $source : string
-
The source to trust.
registerTrustedCspSources()
Check if Content Security Policy for script-src shall be set
public
registerTrustedCspSources(string &$content) : bool
Parameters
- $content : string
Return values
bool —True if Content Security Policy for script-src is enabled and shall be set in response.
resolve()
Called for additional, component specific resolving
public
resolve(array<string|int, mixed> $parts, Page $page) : mixed
If /en/Path/to/Page is the path to a page for this component a request like /en/Path/to/Page/with/some/parameters will give an array like array('with', 'some', 'parameters') for $parts PLEASE MAKE SURE THIS METHOD IS MOCKABLE. IT MAY ONLY INTERACT WITH adjustResponse() HOOK.
This may be used to redirect to another page
Parameters
- $parts : array<string|int, mixed>
-
List of additional path parts
- $page : Page
-
Resolved virtual page
setSystemComponent()
Sets the SystemComponent this Controller decorates
public
setSystemComponent(mixed $systemComponent) : SystemComponent
Parameters
- $systemComponent : mixed
Return values
SystemComponentadjustFullyQualifiedClassName()
This makes sure a FQCN does not contain double backslashes
protected
adjustFullyQualifiedClassName(string $className) : string
Parameters
- $className : string
-
FQCN of a controller
Return values
string —Clean FQCN of a controller
blockMimeSniffing()
Blocks MIME sniffing unless it has been disabled.
protected
blockMimeSniffing() : mixed
configureCspBaseUri()
Configure base-uri directive of the Content-Security-Policy header.
protected
configureCspBaseUri() : void
configureCspChildSrc()
Configure child-src directive of the Content-Security-Policy header.
protected
configureCspChildSrc() : void
configureCspConnectSrc()
Configure connect-src directive of the Content-Security-Policy header.
protected
configureCspConnectSrc() : void
configureCspDefaultSrc()
Configure default-src directive of the Content-Security-Policy header.
protected
configureCspDefaultSrc() : void
configureCspFontSrc()
Configure font-src directive of the Content-Security-Policy header.
protected
configureCspFontSrc() : void
configureCspFrameAncestors()
Configure frame-ancestors directive of the Content-Security-Policy header.
protected
configureCspFrameAncestors() : mixed
This is used to allow or prevent embedding this website. Embedding of the backend is never allowed.
configureCspFrameSrc()
Configure frame-src directive of the Content-Security-Policy header.
protected
configureCspFrameSrc() : void
configureCspImgSrc()
Configure img-src directive of the Content-Security-Policy header.
protected
configureCspImgSrc() : void
configureCspManifestSrc()
Configure manifec-src directive of the Content-Security-Policy header.
protected
configureCspManifestSrc() : void
configureCspMediaSrc()
Configure media-src directive of the Content-Security-Policy header.
protected
configureCspMediaSrc() : void
configureCspObjectSrc()
Configure object-src directive of the Content-Security-Policy header.
protected
configureCspObjectSrc() : void
configureCspScriptSrc()
Configure script-src directive of the Content-Security-Policy header.
protected
configureCspScriptSrc(string &$content) : void
Parameters
- $content : string
-
HTML response to be sent back to the client
Tags
configureCspStyleSrc()
Configure style-src directive of the Content-Security-Policy header.
protected
configureCspStyleSrc(string &$content) : void
Parameters
- $content : string
-
HTML response to be sent back to the client
configureCspWorkerSrc()
Configure worker-src directive of the Content-Security-Policy header.
protected
configureCspWorkerSrc() : void
fetchCspViolations()
Fetch CSP violation reports
protected
fetchCspViolations(array<string|int, mixed> $report) : array<string|int, mixed>
Parameters
- $report : array<string|int, mixed>
-
Data from one or more violation reports generated in response to a reporting-endpoints HTTP header or one CSP violation report in response to a report-uri or report-to HTTP header.
Return values
array<string|int, mixed> —List of violation reports with each report having the keys 'url' and 'report', where 'url' contains the document URL of the violation report and 'report' contains the reported violation data.
fetchTrustedCspSources()
Fetches trusted CSP sources from the HTML content by identifying previously marked tags with unique IDs and extracting their relevant 'src' attributes to form CSP-compliant URLs.
protected
fetchTrustedCspSources(string|null &$content) : void
This function further processes nested tags if specified in static::$cspSourceTags.
Parameters
- $content : string|null
-
The HTML content to be processed. Passed by reference to modify directly. If content is null or empty, the function will return early.
fetchViolationFromLegacyCspReport()
Fetch legacy CSP violation report
protected
fetchViolationFromLegacyCspReport(array<string|int, mixed> $report) : array<string|int, mixed>
Parameters
- $report : array<string|int, mixed>
-
Data from a CSP violation report generated in response to a report-uri or report-to HTTP header.
Return values
array<string|int, mixed> —Violation report with keys 'url' and 'report', where 'url' contains the document URL of the violation report and 'report' contains the reported violation data.
getControllerClassName()
This finds the correct FQCN for a controller name
protected
getControllerClassName(string $controllerClassShort) : string
Parameters
- $controllerClassShort : string
-
Short name for controller
Return values
string —Fully qualified controller class name
getCspSourcesFromTheme()
Retrieves CSP (Content Security Policy) source definitions for a specific directive from the theme's configuration.
protected
getCspSourcesFromTheme(string $directive) : array<string|int, mixed>
This method is designed to fetch CSP settings that are predefined within the active theme's component data. It only operates in the frontend mode of the application, ensuring that CSP data is relevant to the rendered output.
Parameters
- $directive : string
-
The CSP directive for which sources are to be retrieved, e.g., 'style-src', 'img-src'.
Tags
Return values
array<string|int, mixed> —An array of CSP sources associated with the specified directive. Returns an empty array if the directive is not set or the system is not in frontend mode.
getSupportedProtocols()
Returns the value of the setting option forceProtocolFrontend if we're in frontend or otherwise the value of option forceProtocolBackend.
protected
getSupportedProtocols() : string
Return values
string —One of 'none', 'http' or 'https'
loadConfigFile()
Loads a config YAML file
protected
loadConfigFile(string $filename) : array<string|int, mixed>
Parameters
- $filename : string
-
Name of the file to load
Tags
Return values
array<string|int, mixed> —Loaded data
loadData()
Load data from Component.yml
protected
loadData() : void
Tags
markTrustedCspSources()
Marks specific HTML tags as trusted for CSP based on the predefined {@see static::$cspSourceTags}.
protected
markTrustedCspSources(string &$content) : void
It processes the HTML content, finding tags defined in static::$cspSourceTags and wrapping them with unique comments that include a dynamically generated ID.
Parameters
- $content : string
-
The HTML content to be processed. Passed by reference to modify directly.
ReportCsp()
Report CSP violation
protected
ReportCsp(array<string|int, mixed> $report) : void
Parameters
- $report : array<string|int, mixed>
scanRequest()
Scan input arguments for potential attacks
protected
scanRequest() : mixed
setContentSecurityPolicy()
Configure HTTP header Content-Security-Policy
protected
setContentSecurityPolicy(string &$content) : mixed
Parameters
- $content : string
-
HTML response to be sent back to the client
setCspReporting()
Enable Content Security Policy violation reporting to the client
protected
setCspReporting() : void
setHSTS()
Configure HTTP header Strict-Transport-Security
protected
setHSTS() : mixed
setUpgradeInsecureRequests()
Set Content-Security-Policy upgrade-insecure-requests if HTTPS is enforced.
protected
setUpgradeInsecureRequests() : void
useCspReportOnly()
Whether to set Content-Security-Policy-Report-Only in backend or not.
protected
useCspReportOnly() : bool
Tags
Return values
bool —true if in backend mode and csp-report-only shall be enabled.