ContentSecurityPolicy::getNonce() - Code Metrics - Inspection of "CSP header file, not sure it will work that way" - cloud-solutions/zend-sentry - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — sentry-feature-csp-inline-scri... ( e5f5b4 )

by Markus

created 2018-10-20 13:47 UTC

ContentSecurityPolicy::getNonce() A

↳ Parent: ContentSecurityPolicy

Complexity

Conditions	2
Paths	2

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	7
rs	10
c	0
b	0
f	0
cc	2
nc	2
nop	0

<?php


namespace ZendSentry\Http\Header;

/**
 * Content Security Policy Header
 *
 * @link http://www.w3.org/TR/CSP/
 */
class ContentSecurityPolicy extends \Zend\Http\Header\ContentSecurityPolicy
{
    public const KEY_CSP = 'csp';

    public const DIRECTIVE_DEFAULT_SRC     = 'default-src';
    public const DIRECTIVE_SCRIPT_SRC      = 'script-src';
    public const DIRECTIVE_STYLE_SRC       = 'style-src';
    public const DIRECTIVE_FONT_SRC        = 'font-src';
    public const DIRECTIVE_IMG_SRC         = 'img-src';
    public const DIRECTIVE_FRAME_ANCESTORS = 'frame-ancestors';
    public const DIRECTIVE_BASE_URI        = 'base-uri';
    public const DIRECTIVE_FORM_ACTION     = 'form-action';
    public const DIRECTIVE_CONNECT_SRC     = 'connect-src';
    public const DIRECTIVE_REPORT_URI      = 'report-uri';

    public const SOURCE_ALL  = '*';
    public const SOURCE_SELF = "'self'";
    public const SOURCE_DATA = 'data:';

    // These UNSAFE directives should be avoided
    public const SOURCE_UNSAFE_INLINE = "'unsafe-inline'";
    public const SOURCE_UNSAFE_EVAL   = "'unsafe-eval'";

    /**
     * @var string
     */
    private static $nonce;

    /**
     * ContentSecurityPolicy constructor.*
     */
    public function __construct()
    {
        $this->init();
    }

    /**
     * Returns a new nonce for each request.
     *
     * @return string
     */
    public static function getNonce(): string
    {
        if (self::$nonce === null) {
            self::$nonce = base64_encode(random_bytes(20));
        }
        return self::$nonce;
    }

    /**
     * Set the needed CSP directives for ZendSentry
     */
    public function init(): void
    {
        $csp = [
            self::DIRECTIVE_SCRIPT_SRC => [
                'cdn.ravenjs.com',
                sprintf("'nonce-%s'", self::getNonce()),
            ]
        ];

        foreach ($csp as $directive => $sources) {
            $this->setDirective($directive, $sources);
        }
    }
}

1			<?php
2
3
4			namespace ZendSentry\Http\Header;
5
6			/**
7			* Content Security Policy Header
8			*
9			* @link http://www.w3.org/TR/CSP/
10			*/
11			class ContentSecurityPolicy extends \Zend\Http\Header\ContentSecurityPolicy
12			{
13			public const KEY_CSP = 'csp';
14
15			public const DIRECTIVE_DEFAULT_SRC = 'default-src';
16			public const DIRECTIVE_SCRIPT_SRC = 'script-src';
17			public const DIRECTIVE_STYLE_SRC = 'style-src';
18			public const DIRECTIVE_FONT_SRC = 'font-src';
19			public const DIRECTIVE_IMG_SRC = 'img-src';
20			public const DIRECTIVE_FRAME_ANCESTORS = 'frame-ancestors';
21			public const DIRECTIVE_BASE_URI = 'base-uri';
22			public const DIRECTIVE_FORM_ACTION = 'form-action';
23			public const DIRECTIVE_CONNECT_SRC = 'connect-src';
24			public const DIRECTIVE_REPORT_URI = 'report-uri';
25
26			public const SOURCE_ALL = '*';
27			public const SOURCE_SELF = "'self'";
28			public const SOURCE_DATA = 'data:';
29
30			// These UNSAFE directives should be avoided
31			public const SOURCE_UNSAFE_INLINE = "'unsafe-inline'";
32			public const SOURCE_UNSAFE_EVAL = "'unsafe-eval'";
33
34			/**
35			* @var string
36			*/
37			private static $nonce;
38
39			/**
40			* ContentSecurityPolicy constructor.*
41			*/
42			public function __construct()
43			{
44			$this->init();
45			}
46
47			/**
48			* Returns a new nonce for each request.
49			*
50			* @return string
51			*/
52			public static function getNonce(): string
53			{
54			if (self::$nonce === null) {
55			self::$nonce = base64_encode(random_bytes(20));
56			}
57			return self::$nonce;
58			}
59
60			/**
61			* Set the needed CSP directives for ZendSentry
62			*/
63			public function init(): void
64			{
65			$csp = [
66			self::DIRECTIVE_SCRIPT_SRC => [
67			'cdn.ravenjs.com',
68			sprintf("'nonce-%s'", self::getNonce()),
69			]
70			];
71
72			foreach ($csp as $directive => $sources) {
73			$this->setDirective($directive, $sources);
74			}
75			}
76			}

cloud-solutions / zend-sentry

Push — sentry-feature-csp-inline-scri... ( e5f5b4 )

ContentSecurityPolicy::getNonce() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like