Csp Builder Versions Save

Build Content-Security-Policy headers from a JSON file (or build them programmatically)

v3.0.1

1 week ago

#77 - prevent duplicate policies
Updated dependencies

v3.0.0

4 months ago

What's Changed

PHP <7.4 is not supported in this new major version!
- The changes in #70 created a dependency conflict with PHP <7.4.
Add a CSP header parser (CSPBuilder::fromHeader) by @fritzmg in https://github.com/paragonie/csp-builder/pull/74
un-deprecate frame-src by @fritzmg in https://github.com/paragonie/csp-builder/pull/76
Generate nonce also when only default-src policy is applied by @fritzmg in https://github.com/paragonie/csp-builder/pull/65
Add PoC of report-to header by @Firesphere in https://github.com/paragonie/csp-builder/pull/70

Full Changelog: https://github.com/paragonie/csp-builder/compare/v2.9.0...v3.0.0

v2.9.0

11 months ago

What's Changed

Add support for psr/http-message v2 by @internalsystemerror in https://github.com/paragonie/csp-builder/pull/73
Fix support for script-src-{elem|attr}, Add support for style-src-{elem|attr} by @internalsystemerror in https://github.com/paragonie/csp-builder/pull/71

New Contributors

@internalsystemerror made their first contribution in https://github.com/paragonie/csp-builder/pull/73

Full Changelog: https://github.com/paragonie/csp-builder/compare/v2.8.1...v2.9.0

v2.8.1

1 year ago

What's Changed

Add 'url' type value for report-uri by @danieltott in https://github.com/paragonie/csp-builder/pull/61
Fix plugin-types generation by @fritzmg in https://github.com/paragonie/csp-builder/pull/69
report-uri should not be encoded at all by @Firesphere in https://github.com/paragonie/csp-builder/pull/64
Ignore PHPUnit result cache by @fritzmg in https://github.com/paragonie/csp-builder/pull/67
Allow 'unsafe-hashed-attributes' to be set by @fritzmg in https://github.com/paragonie/csp-builder/pull/68
Remove trailing semicolon by @fritzmg in https://github.com/paragonie/csp-builder/pull/66

New Contributors

@danieltott made their first contribution in https://github.com/paragonie/csp-builder/pull/61
@fritzmg made their first contribution in https://github.com/paragonie/csp-builder/pull/69
@Firesphere made their first contribution in https://github.com/paragonie/csp-builder/pull/64

Full Changelog: https://github.com/paragonie/csp-builder/compare/v2.8.0...v2.8.1

v2.8.0

1 year ago

Prevent semicolon or CLRF injection. See https://github.com/paragonie/csp-builder/commit/1a1a85fcf115400d7753af842403ec6e846319de for details.

CSP-Builder is a developer tool. It is not meant to be used with user input.

However, the ability to inject CSP directives or additional headers violates the principle of least astonishment.

This was reported via user demonia on HackerOne.

v2.7.0

1 year ago

CI: Build/test on PHP 8.2
Add support for "unsafe-hashes" directive

v2.6.0

2 years ago

#56 You can now save policies as JSON strings or to disk (reported in #39)
#55 Allow hooks before writing output to disk
#54 Allow https: scheme sources
#51 Allow sample report directive
Fixed #23 -- duplicate directives are now prevented
Implemented #52

v2.5.0

3 years ago

Consistently invalidate the compiled CSP cache.
Update PHPUnit, etc.
Dropped support for PHP 7.0. You can continue to install 2.4.0, but we will not be backporting patches into the old version. PHP 7.0 is EOL, please upgrade to 7.4 or newer.

v2.4.0

4 years ago

#42 - In Chrome 76, this library's behavior with report-to does not work. Specifically, you cannot pass a URL as a report-to directive or Chrome will never send CSP reports, even if there is also a report-uri fallback. @iangcarroll provided a pull request that fixes this behavior.

v2.3.0

6 years ago

#21 - Add always clause to nginx header. Thanks @alainwolf
#17 - Add support for blob:, filesystem:, and data: URIs.
Added CSPBuilder::fromArray() because its absence seemed confusing if you're not familiar with the constructor.
Minor documentation improvements. Not nearly enough to close #18, though.