diff --git a/src/CSPBuilder.php b/src/CSPBuilder.php index 57c817e..3b2113c 100644 --- a/src/CSPBuilder.php +++ b/src/CSPBuilder.php @@ -353,28 +353,6 @@ public function hash( return $this; } - /** - * Add a new (pre-calculated) base64-encoded hash to the existing CSP - * - * @param string $directive - * @param string $hash - * @param string $algorithm - * @return self - */ - public function preHash( - string $directive = 'script-src', - string $hash = '', - string $algorithm = 'sha384' - ): self { - $ruleKeys = \array_keys($this->policies); - if (\in_array($directive, $ruleKeys)) { - $this->policies[$directive]['hashes'] []= [ - $algorithm => $hash - ]; - } - return $this; - } - /** * PSR-7 header injection. * @@ -418,6 +396,28 @@ public function nonce(string $directive = 'script-src', string $nonce = ''): str return $nonce; } + /** + * Add a new (pre-calculated) base64-encoded hash to the existing CSP + * + * @param string $directive + * @param string $hash + * @param string $algorithm + * @return self + */ + public function preHash( + string $directive = 'script-src', + string $hash = '', + string $algorithm = 'sha384' + ): self { + $ruleKeys = \array_keys($this->policies); + if (\in_array($directive, $ruleKeys)) { + $this->policies[$directive]['hashes'] []= [ + $algorithm => $hash + ]; + } + return $this; + } + /** * Save CSP to a snippet file * @@ -490,138 +490,138 @@ public function sendCSPHeader(bool $legacy = true): bool } /** - * Allow/disallow blob: URIs for a given directive + * Allow/disallow unsafe-eval within a given directive. * * @param string $directive * @param bool $allow * @return self * @throws \Exception */ - public function setBlobAllowed(string $directive = '', bool $allow = false): self + public function setAllowUnsafeEval(string $directive = '', bool $allow = false): self { if (!\in_array($directive, self::$directives)) { throw new \Exception('Directive ' . $directive . ' does not exist'); } - $this->policies[$directive]['blob'] = $allow; + $this->policies[$directive]['unsafe-eval'] = $allow; return $this; } /** - * Allow/disallow data: URIs for a given directive + * Allow/disallow unsafe-inline within a given directive. * * @param string $directive * @param bool $allow * @return self * @throws \Exception */ - public function setDataAllowed(string $directive = '', bool $allow = false): self + public function setAllowUnsafeInline(string $directive = '', bool $allow = false): self { if (!\in_array($directive, self::$directives)) { throw new \Exception('Directive ' . $directive . ' does not exist'); } - $this->policies[$directive]['data'] = $allow; + $this->policies[$directive]['unsafe-inline'] = $allow; return $this; } /** - * Allow/disallow filesystem: URIs for a given directive + * Allow/disallow blob: URIs for a given directive * * @param string $directive * @param bool $allow * @return self * @throws \Exception */ - public function setFileSystemAllowed(string $directive = '', bool $allow = false): self + public function setBlobAllowed(string $directive = '', bool $allow = false): self { if (!\in_array($directive, self::$directives)) { throw new \Exception('Directive ' . $directive . ' does not exist'); } - $this->policies[$directive]['filesystem'] = $allow; + $this->policies[$directive]['blob'] = $allow; return $this; } /** - * Allow/disallow mediastream: URIs for a given directive + * Allow/disallow data: URIs for a given directive * * @param string $directive * @param bool $allow * @return self * @throws \Exception */ - public function setMediaStreamAllowed(string $directive = '', bool $allow = false): self + public function setDataAllowed(string $directive = '', bool $allow = false): self { if (!\in_array($directive, self::$directives)) { throw new \Exception('Directive ' . $directive . ' does not exist'); } - $this->policies[$directive]['mediastream'] = $allow; + $this->policies[$directive]['data'] = $allow; return $this; } /** - * Allow/disallow self URIs for a given directive + * Set a directive. + * + * This lets you overwrite a complex directive entirely (e.g. script-src) + * or set a top-level directive (e.g. report-uri). + * + * @param string $key + * @param mixed $value * - * @param string $directive - * @param bool $allow * @return self - * @throws \Exception */ - public function setSelfAllowed(string $directive = '', bool $allow = false): self + public function setDirective(string $key, $value = []): self { - if (!\in_array($directive, self::$directives)) { - throw new \Exception('Directive ' . $directive . ' does not exist'); - } - $this->policies[$directive]['self'] = $allow; + $this->policies[$key] = $value; return $this; } /** - * Allow/disallow unsafe-eval within a given directive. + * Allow/disallow filesystem: URIs for a given directive * * @param string $directive * @param bool $allow * @return self * @throws \Exception */ - public function setAllowUnsafeEval(string $directive = '', bool $allow = false): self + public function setFileSystemAllowed(string $directive = '', bool $allow = false): self { if (!\in_array($directive, self::$directives)) { throw new \Exception('Directive ' . $directive . ' does not exist'); } - $this->policies[$directive]['unsafe-eval'] = $allow; + $this->policies[$directive]['filesystem'] = $allow; return $this; } /** - * Allow/disallow unsafe-inline within a given directive. + * Allow/disallow mediastream: URIs for a given directive * * @param string $directive * @param bool $allow * @return self * @throws \Exception */ - public function setAllowUnsafeInline(string $directive = '', bool $allow = false): self + public function setMediaStreamAllowed(string $directive = '', bool $allow = false): self { if (!\in_array($directive, self::$directives)) { throw new \Exception('Directive ' . $directive . ' does not exist'); } - $this->policies[$directive]['unsafe-inline'] = $allow; + $this->policies[$directive]['mediastream'] = $allow; return $this; } /** - * Set a directive. - * - * This lets you overwrite a complex directive entirely (e.g. script-src) - * or set a top-level directive (e.g. report-uri). - * - * @param string $key - * @param mixed $value + * Allow/disallow self URIs for a given directive * + * @param string $directive + * @param bool $allow * @return self + * @throws \Exception */ - public function setDirective(string $key, $value = []): self + public function setSelfAllowed(string $directive = '', bool $allow = false): self { - $this->policies[$key] = $value; + if (!\in_array($directive, self::$directives)) { + throw new \Exception('Directive ' . $directive . ' does not exist'); + } + $this->policies[$directive]['self'] = $allow; return $this; }