Create contentSecurityPolicy method (#95)

The-FireHub-Project-old · Oct 22, 2024 · 738ff22 · 738ff22
1 parent ce876cb
commit 738ff22
Show file tree

Hide file tree

Showing 5 changed files with 269 additions and 5 deletions.
diff --git a/phar/core.min.phar b/phar/core.min.phar
diff --git a/phar/core.phar b/phar/core.phar
diff --git a/src/kernel/http/firehub.Response.php b/src/kernel/http/firehub.Response.php
@@ -19,11 +19,11 @@
 use FireHub\Core\Support\Collection\Type\Indexed;
 use FireHub\Core\Support\Enums\HTTP\ {
     CommonMimeType, ContentDisposition, ContentEncoding, SiteData, StatusCode,
-    Authentication\Scheme, Contracts\StatusCode as StatusCodeContract
+    Authentication\Scheme, Contracts\StatusCode as StatusCodeContract, CSP\Directive, CSP\Value
+};
+use FireHub\Core\Support\Enums\ {
+    Language, Hash\Algorithm, String\Encoding
 };
-use FireHub\Core\Support\Enums\Language;
-use FireHub\Core\Support\Enums\Hash\Algorithm;
-use FireHub\Core\Support\Enums\String\Encoding;
 use FireHub\Core\Support\LowLevel\ {
     Hash, HTTP
 };
@@ -129,7 +129,9 @@ public function authenticate (Scheme $scheme, string $parameters = ''):self {
      * @uses \FireHub\Core\Support\Enums\HTTP\StatusCode::NOT_MODIFIED As status code.
      * @uses \FireHub\Core\Support\Enums\HTTP\StatusCode::codeStatus() To get status code with status.
      *
-     * @param \FireHub\Core\Support\Collection\Type\Indexed<array{directive:\FireHub\Core\Support\Enums\HTTP\Cache\Response, argument: null|int|string}> $directives
+     * @param \FireHub\Core\Support\Collection\Type\Indexed<array{directive:\FireHub\Core\Support\Enums\HTTP\Cache\Response, argument: null|int|string}> $directives <p>
+     * List of directives.
+     * </p>
      *
      * @return $this This response.
      */
@@ -290,6 +292,35 @@ public function contentEncoding (ContentEncoding ...$encoding):self {
 
     }
 
+    /**
+     * ### Allows website administrators to control resources the user agent is allowed to load for a given page
+     * @since 1.0.0
+     *
+     * @uses \FireHub\Core\Support\Collection\Type\Indexed As parameter.
+     * @uses \FireHub\Core\Kernel\HTTP\Response::replaceHeader() To send and replace a raw HTTP header.
+     * @uses \FireHub\Core\Support\Str::fromList() To create a string from a list.
+     * @uses \FireHub\Core\Support\Collection\Type\Indexed::map() To create a string from a list.
+     * @uses \FireHub\Core\Support\Enums\HTTP\CSP\Directive As list value.
+     * @uses \FireHub\Core\Support\Enums\HTTP\CSP\Value As list value.
+     *
+     * @param \FireHub\Core\Support\Collection\Type\Indexed<array{directive:\FireHub\Core\Support\Enums\HTTP\CSP\Directive, value: \FireHub\Core\Support\Enums\HTTP\CSP\Value|string}> $directives <p>
+     * List of directives.
+     * </p>
+     *
+     * @return $this This response.
+     */
+    public function contentSecurityPolicy (Indexed $directives):self {
+
+        $directives = $directives->map(
+            fn($value) => $value['directive']->value.' '.($value['value'] instanceof Value ? $value['value']->value : $value['value'])
+        );
+
+        $this->replaceHeader('Content-Security-Policy: '.Str::fromList($directives, '; ')); // @phpstan-ignore-line
+
+        return $this;
+
+    }
+
     /**
      * ### Send a raw HTTP header
      * @since 1.0.0

diff --git a/src/support/enums/http/csp/firehub.Directive.php b/src/support/enums/http/csp/firehub.Directive.php
@@ -0,0 +1,170 @@
+<?php declare(strict_types = 1);
+
+/**
+ * This file is part of FireHub Web Application Framework package
+ *
+ * @author Danijel Galić <danijel.galic@outlook.com>
+ * @copyright 2024 FireHub Web Application Framework
+ * @license <https://opensource.org/licenses/OSL-3.0> OSL Open Source License version 3
+ *
+ * @package Core\Support
+ *
+ * @version GIT: $Id$ Blob checksum.
+ */
+
+namespace FireHub\Core\Support\Enums\HTTP\CSP;
+
+use FireHub\Core\Base\ {
+    InitBackedEnum, Trait\ConcreteBackedEnum
+};
+
+/**
+ * ### HTTP Content Security Policy directives
+ * @since 1.0.0
+ */
+enum Directive:string implements InitBackedEnum {
+
+    /**
+     * ### FireHub initial concrete-backed enum trait
+     * @since 1.0.0
+     */
+    use ConcreteBackedEnum;
+
+    /**
+     * ### Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>
+     * @since 1.0.0
+     */
+    case CHILD_SRC = 'child-src';
+
+    /**
+     * ### Directive restricts the URLs which can be loaded using script interfaces
+     * - The ping attribute in <a> elements
+     * - fetch()
+     * - XMLHttpRequest
+     * - WebSocket
+     * - EventSource
+     * - Navigator.sendBeacon()
+     *
+     * @since 1.0.0
+     */
+    case CONNECT_SRC = 'connect-src';
+
+    /**
+     * ### Serves as a fallback for the other fetch directives
+     * @since 1.0.0
+     */
+    case DEFAULT_SRC = 'default-src';
+
+    /**
+     * ### Specifies valid sources for fonts loaded using @font-face
+     * @since 1.0.0
+     */
+    case FONT_SRC = 'font-src';
+
+    /**
+     * ### Specifies valid sources for nested browsing contexts loaded into elements such as <frame> and <iframe>
+     * @since 1.0.0
+     */
+    case FRAME_SRC = 'frame-src';
+
+    /**
+     * ### Specifies valid sources of images and favicons
+     * @since 1.0.0
+     */
+    case IMG_SRC = 'img-src';
+
+    /**
+     * ### Specifies valid sources of application manifest files
+     * @since 1.0.0
+     */
+    case MANIFEST_SRC = 'manifest-src';
+
+    /**
+     * ### Specifies valid sources for loading media using the <audio>, <video> and <track> elements
+     * @since 1.0.0
+     */
+    case MEDIA_SRC = 'media-src';
+
+    /**
+     * ### Specifies valid sources for the <object> and <embed> elements
+     * @since 1.0.0
+     */
+    case OBJECT_SRC = 'object-src';
+
+    /**
+     * ### Specifies valid sources for JavaScript and WebAssembly resources
+     * @since 1.0.0
+     */
+    case SCRIPT_SRC = 'script-src';
+
+    /**
+     * ### Specifies valid sources for JavaScript <script> elements
+     * @since 1.0.0
+     */
+    case SCRIPT_SRC_ELEM = 'script-src-elem';
+
+    /**
+     * ### Specifies valid sources for JavaScript inline event handlers
+     * @since 1.0.0
+     */
+    case SCRIPT_SRC_ATTR = 'script-src-attr';
+
+    /**
+     * ### Specifies valid sources for stylesheets
+     * @since 1.0.0
+     */
+    case STYLE_SRC = 'style-src';
+
+    /**
+     * ### Specifies valid sources for stylesheets <style> elements and <link> elements with rel="stylesheet"
+     * @since 1.0.0
+     */
+    case STYLE_SRC_ELEM = 'style-src-elem';
+
+    /**
+     * ### Specifies valid sources for inline styles applied to individual DOM elements
+     * @since 1.0.0
+     */
+    case STYLE_SRC_ATTR = 'style-src-attr';
+
+    /**
+     * ### Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts
+     * @since 1.0.0
+     */
+    case WORKER_SRC = 'worker-src';
+
+    /**
+     * ### Restricts the URLs which can be used in a document's <base> element
+     * @since 1.0.0
+     */
+    case BASE_URI = 'base-uri';
+
+    /**
+     * ### Enables a sandbox for the requested resource similar to the <iframe> sandbox attribute
+     * @since 1.0.0
+     */
+    case SANDBOX = 'sandbox';
+
+    /**
+     * ### Restricts the URLs which can be used as the target of a form submission from a given context
+     * @since 1.0.0
+     */
+    case FORM_ACTION = 'form-action';
+
+    /**
+     * ### Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, or <embed>
+     * @since 1.0.0
+     */
+    case FRAME_ANCESTORS = 'frame-ancestors';
+
+    /**
+     * ### Upgrade insecure requests
+     *
+     * Instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they've been
+     * replaced with secure URLs (those served over HTTPS). This directive is intended for websites with large
+     * numbers of insecure legacy URLs that need to be rewritten.
+     * @since 1.0.0
+     */
+    case UPGRADE_INSECURE_REQUESTS = 'upgrade-insecure-requests';
+
+}
diff --git a/src/support/enums/http/csp/firehub.Value.php b/src/support/enums/http/csp/firehub.Value.php
@@ -0,0 +1,63 @@
+<?php declare(strict_types = 1);
+
+/**
+ * This file is part of FireHub Web Application Framework package
+ *
+ * @author Danijel Galić <danijel.galic@outlook.com>
+ * @copyright 2024 FireHub Web Application Framework
+ * @license <https://opensource.org/licenses/OSL-3.0> OSL Open Source License version 3
+ *
+ * @package Core\Support
+ *
+ * @version GIT: $Id$ Blob checksum.
+ */
+
+namespace FireHub\Core\Support\Enums\HTTP\CSP;
+
+use FireHub\Core\Base\ {
+    InitBackedEnum, Trait\ConcreteBackedEnum
+};
+
+/**
+ * ### HTTP Content Security Policy values
+ * @since 1.0.0
+ */
+enum Value:string implements InitBackedEnum {
+
+    /**
+     * ### FireHub initial concrete-backed enum trait
+     * @since 1.0.0
+     */
+    use ConcreteBackedEnum;
+
+    /**
+     * ### Won't allow loading of any resources
+     * @since 1.0.0
+     */
+    case NONE = "'none'";
+
+    /**
+     * ### Only allow resources from the current origin
+     * @since 1.0.0
+     */
+    case SELF = "'self'";
+
+    /**
+     * ### The trust granted to a script in the page due to an accompanying nonce or hash is extended to the scripts it loads
+     * @since 1.0.0
+     */
+    case STRICT_DYNAMIC = "'strict-dynamic'";
+
+    /**
+     * ### Allow use of inline resources
+     * @since 1.0.0
+     */
+    case UNSAFE_INLINE = "'unsafe-inline'";
+
+    /**
+     * ### Allows enabling specific inline event handlers
+     * @since 1.0.0
+     */
+    case UNSAFE_HASHES = "'unsafe-hashes'";
+
+}