Properties

$inlineScriptAllowed

$inlineScriptAllowed : boolean

Type

boolean — Whether inline JS snippets are allowed

$evalScriptAllowed

$evalScriptAllowed : boolean

Type

boolean — Whether eval in JS scripts is allowed TODO: Disallow per default

$allowedScriptDomains

$allowedScriptDomains : array

Type

array — Domains from which scripts can get loaded

$inlineStyleAllowed

$inlineStyleAllowed : boolean

Type

boolean — Whether inline CSS is allowed TODO: Disallow per default

$allowedStyleDomains

$allowedStyleDomains : array

Type

array — Domains from which CSS can get loaded

$allowedImageDomains

$allowedImageDomains : array

Type

array — Domains from which images can get loaded

$allowedConnectDomains

$allowedConnectDomains : array

Type

array — Domains to which connections can be done

$allowedMediaDomains

$allowedMediaDomains : array

Type

array — Domains from which media elements can be loaded

$allowedObjectDomains

$allowedObjectDomains : array

Type

array — Domains from which object elements can be loaded

$allowedFrameDomains

$allowedFrameDomains : array

Type

array — Domains from which iframes can be loaded

$allowedFontDomains

$allowedFontDomains : array

Type

array — Domains from which fonts can be loaded

$allowedChildSrcDomains

$allowedChildSrcDomains : array

Type

array — Domains from which web-workers and nested browsing content can load elements

Methods

allowInlineScript()

allowInlineScript(boolean  $state = false) : $this

Whether inline JavaScript snippets are allowed or forbidden

Parameters

boolean $state

Returns

$this

allowEvalScript()

allowEvalScript(boolean  $state = true) : $this

Whether eval in JavaScript is allowed or forbidden

Parameters

boolean $state

Returns

$this

addAllowedScriptDomain()

addAllowedScriptDomain(string  $domain) : $this

Allows to execute JavaScript files from a specific domain. Use * to allow JavaScript from all domains.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowScriptDomain()

disallowScriptDomain(string  $domain) : $this

Remove the specified allowed script domain from the allowed domains.

Parameters

string $domain

Returns

$this

allowInlineStyle()

allowInlineStyle(boolean  $state = true) : $this

Whether inline CSS snippets are allowed or forbidden

Parameters

boolean $state

Returns

$this

addAllowedStyleDomain()

addAllowedStyleDomain(string  $domain) : $this

Allows to execute CSS files from a specific domain. Use * to allow CSS from all domains.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowStyleDomain()

disallowStyleDomain(string  $domain) : $this

Remove the specified allowed style domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedFontDomain()

addAllowedFontDomain(string  $domain) : $this

Allows using fonts from a specific domain. Use * to allow fonts from all domains.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowFontDomain()

disallowFontDomain(string  $domain) : $this

Remove the specified allowed font domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedImageDomain()

addAllowedImageDomain(string  $domain) : $this

Allows embedding images from a specific domain. Use * to allow images from all domains.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowImageDomain()

disallowImageDomain(string  $domain) : $this

Remove the specified allowed image domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedConnectDomain()

addAllowedConnectDomain(string  $domain) : $this

To which remote domains the JS connect to.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowConnectDomain()

disallowConnectDomain(string  $domain) : $this

Remove the specified allowed connect domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedMediaDomain()

addAllowedMediaDomain(string  $domain) : $this

From which domains media elements can be embedded.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowMediaDomain()

disallowMediaDomain(string  $domain) : $this

Remove the specified allowed media domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedObjectDomain()

addAllowedObjectDomain(string  $domain) : $this

From which domains objects such as <object>, <embed> or <applet> are executed

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowObjectDomain()

disallowObjectDomain(string  $domain) : $this

Remove the specified allowed object domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedFrameDomain()

addAllowedFrameDomain(string  $domain) : $this

Which domains can be embedded in an iframe

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowFrameDomain()

disallowFrameDomain(string  $domain) : $this

Remove the specified allowed frame domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedChildSrcDomain()

addAllowedChildSrcDomain(string  $domain) : $this

Domains from which web-workers and nested browsing content can load elements

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowChildSrcDomain()

disallowChildSrcDomain(string  $domain) : $this

Remove the specified allowed child src domain from the allowed domains.

Parameters

string $domain

Returns

$this

buildPolicy()

buildPolicy() : string

Get the generated Content-Security-Policy as a string

Returns

string