I would appreciate feedback.
First php class I've written myself (the little tiny ones that are just over-glorified functions don't count.)

Probably has bugs. I have not thoroughly tested it - but I finally have a nice test sandbox to play with.


That page has link to class source on it too.

The class is suppose to server side implement the Content Security Policy recommendation that can be found here:


In theory (assuming no bugs) the class should flat out remove any content that would violate the specified policy server side so that users who do not have browsers that benefit from CSP also benefit.

Clearly it can not cover every scenario, IE a script from a white listed domain could modify the DOM introducing stuff that will still trigger browser side CSP filtering.

In addition to enforcing the specified policy, it also removes some stuff that ain't where it belongs, like meta tags outside the head etc.

One place where I deviate from the Mozilla CSP intentionally is in event attributes. The way I read the CSP recommendation, event attributes just aren't allowed. For the life of me, though, I can't figure out how to do effective client side form validation w/o at least onchange and onsubmit. So my class does allow white listing of event attributes, though they can not have any arguments (IE onchange="alert('hello');" gets filtered to onchange="altert();"

We'll have to see what the final standard is on that.

The test page lets you set the policy rules that are to be enforced (except no event handler whitelist, I'll have to add that) and has almost no input filtering (just enough to make the input load nicely into the DOM - clean html input should go through unmutilated)

I'll try to put together a pretty index page along with examples of usage, it should fit in nicely with most templating systems, for example, because they tend to construct the page and then send it.

But I can't do that until after the weekend as I'm going out of town.
Anyway, I'd really appreciate feedback on it, so it can be improved.

Just a note - it's not intended as a substitute for input filtering, CSP is intended as a second line of defense, and hopefully will be implemented in browsers soon. This class just gives the benefit of a sound CSP to users w/o a CSP enabled browser (which right now is all of them, though firefox has a partially implemented plugin).

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to