PHP Classes

File: examples/example6.php

Recommend this page to a friend!
  Classes of Tom Postma  >  PHP Content Security Policy generator  >  examples/example6.php  >  Download  
File: examples/example6.php
Role: Example script
Content type: text/plain
Description: Example: how to calculate and use a hash code to allow inline JavaScript/ECMAScript.
Class: PHP Content Security Policy generator
Generate CSP headers to prevent security attacks
Author: By
Last change: Update examples, in examples 2 and 6 the resources are only loaded over https.

Signed-off-by: Tom <D9ping@users.noreply.github.com>
Added support for sending the Referrer-Policy http header base on the current referrerpolicy value and added strict-origin-when-cross-origin and strict-origin values.

Signed-off-by: Tom <D9ping@users.noreply.github.com>
Date: 3 years ago
Size: 1,511 bytes
 

Contents

Class file image Download
<?php
require_once('../CSPGenerator.php');

// E.g. allow inline google analytics javascript snippet.
// The following javascript code needs hashed before the Content Security Policy
// HTTP header is send to the client.
$jscode = "
window['ga-disable-UA-XXXXX-Y'] = true;
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-XXXXX-Y', 'auto');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');

  alert('The (disabled)Google analytics snippet loaded.');
"
;

CSPGenerator::getInstance()->addScriptsrcHash($jscode, 'sha384');
CSPGenerator::getInstance()->addScriptsrc('https://www.google-analytics.com');
CSPGenerator::getInstance()->addImagesrc('https://www.google-analytics.com');

// Set the headers, always call this method before any content output.
CSPGenerator::getInstance()->Parse();
// Start content output.
?><!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>example6 - allow inline script with hash</title>
    </head>
    <body>
    <!-- Whitelisted inline script: -->
    <script type="application/javascript"><?php echo $jscode; ?></script>
    <!-- Not whitelisted inline script: -->
    <script type="application/javascript">
alert('This should not popup.');
    </script>
    See page sourcecode.
    </body>
</html>

For more information send a message to info at phpclasses dot org.