Build Content-Security-Policy headers from a JSON file (or build them programmatically)
CSPBuilder::fromHeader
) by @fritzmg in https://github.com/paragonie/csp-builder/pull/74
frame-src
by @fritzmg in https://github.com/paragonie/csp-builder/pull/76
default-src
policy is applied by @fritzmg in https://github.com/paragonie/csp-builder/pull/65
Full Changelog: https://github.com/paragonie/csp-builder/compare/v2.9.0...v3.0.0
psr/http-message
v2 by @internalsystemerror in https://github.com/paragonie/csp-builder/pull/73
Full Changelog: https://github.com/paragonie/csp-builder/compare/v2.8.1...v2.9.0
plugin-types
generation by @fritzmg in https://github.com/paragonie/csp-builder/pull/69
Full Changelog: https://github.com/paragonie/csp-builder/compare/v2.8.0...v2.8.1
Prevent semicolon or CLRF injection. See https://github.com/paragonie/csp-builder/commit/1a1a85fcf115400d7753af842403ec6e846319de for details.
CSP-Builder is a developer tool. It is not meant to be used with user input.
However, the ability to inject CSP directives or additional headers violates the principle of least astonishment.
This was reported via user demonia on HackerOne.
report-to
does not work. Specifically, you cannot pass a URL as a report-to
directive or Chrome will never send CSP reports, even if there is also a report-uri
fallback. @iangcarroll provided a pull request that fixes this behavior.always
clause to nginx header. Thanks @alainwolfblob:
, filesystem:
, and data:
URIs.CSPBuilder::fromArray()
because its absence seemed confusing if you're not familiar with the constructor.