1<?php 2 3use ComboStrap\Page; 4use ComboStrap\StringUtility; 5 6if (!defined('DOKU_INC')) die(); 7 8/** 9 * 10 * Adding security directive 11 * 12 */ 13class action_plugin_combo_metacsp extends DokuWiki_Action_Plugin 14{ 15 16 17 function __construct() 18 { 19 // enable direct access to language strings 20 // ie $this->lang 21 $this->setupLocale(); 22 } 23 24 public function register(Doku_Event_Handler $controller) 25 { 26 $controller->register_hook('TPL_METAHEADER_OUTPUT', 'BEFORE', $this, 'metaCsp', array()); 27 } 28 29 /** 30 * Dokuwiki has already a canonical methodology 31 * https://www.dokuwiki.org/canonical 32 * 33 * @param $event 34 */ 35 function metaCsp($event) 36 { 37 38 // meta directives 39 $directives = [ 40 'block-all-mixed-content', // no http, https 41 ]; 42 43 44 45 // Search if the CSP property is already present 46 $cspKey = null; 47 foreach ($event->data['meta'] as $key => $meta) { 48 if (isset($meta["http-equiv"])) { 49 if ($meta["http-equiv"] == "Content-Security-Policy") { 50 $cspKey = $key; 51 } 52 } 53 } 54 if ($cspKey != null) { 55 $actualDirectives = StringUtility::explodeAndTrim($event->data['meta'][$cspKey]["content"], ","); 56 $directives = array_merge($actualDirectives, $directives); 57 $event->data['meta'][$cspKey] = [ 58 "http-equiv" => "Content-Security-Policy", 59 "content" => join(", ", $directives) 60 ]; 61 } else { 62 $event->data['meta'][] = [ 63 "http-equiv" => "Content-Security-Policy", 64 "content" => join(",", $directives) 65 ]; 66 } 67 68 // http header 69 $httpDirectives = [ 70 "Content-Security-Policy: frame-ancestors 'none'", // the page cannot be used in a iframe (clickjacking), 71 "X-Frame-Options: deny" // the page cannot be used in a iframe (clickjacking) - deprecated for frame ancestores 72 ]; 73 foreach($httpDirectives as $httpDirective){ 74 header($httpDirective); 75 } 76 77 } 78 79} 80