blob: 1d29d4c20b3420d849ef951b814b01a695b11f50 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
<?php
/**
* MINZ - Copyright 2011 Marien Fressinaud
* Sous licence AGPL3 <http://www.gnu.org/licenses/>
*/
/**
* The Minz_ActionController class is a controller in the MVC paradigm
*/
class Minz_ActionController {
protected $view;
private $csp_policies = array(
'default-src' => "'self'",
);
// Gives the possibility to override the default View type.
public static $viewType = 'Minz_View';
public function __construct () {
if (class_exists(self::$viewType)) {
$this->view = new self::$viewType();
} else {
$this->view = new Minz_View();
}
$view_path = Minz_Request::controllerName() . '/' . Minz_Request::actionName() . '.phtml';
$this->view->_path($view_path);
$this->view->attributeParams ();
}
/**
* Getteur
*/
public function view () {
return $this->view;
}
/**
* Set CSP policies.
*
* A default-src directive should always be given.
*
* References:
* - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
* - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
*
* @param array $policies An array where keys are directives and values are sources.
*/
protected function _csp($policies) {
if (!isset($policies['default-src'])) {
$action = Minz_Request::controllerName() . '#' . Minz_Request::actionName();
Minz_Log::warning(
"Default CSP policy is not declared for action {$action}.",
ADMIN_LOG
);
}
$this->csp_policies = $policies;
}
/**
* Send HTTP Content-Security-Policy header based on declared policies.
*/
public function declareCspHeader() {
$policies = [];
foreach ($this->csp_policies as $directive => $sources) {
$policies[] = $directive . ' ' . $sources;
}
header('Content-Security-Policy: ' . implode('; ', $policies));
}
/**
* Méthodes à redéfinir (ou non) par héritage
* firstAction est la première méthode exécutée par le Dispatcher
* lastAction est la dernière
*/
public function init () { }
public function firstAction () { }
public function lastAction () { }
}
|
