src/Framework/Security/ContentSecurityPolicy/EventSubscriber/ContentSecurityPolicyListener.php line 47

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace App\Framework\Security\ContentSecurityPolicy\EventSubscriber;
  7. use App\Framework\Security\ContentSecurityPolicy\Computer\PageScriptCSPComputer;
  8. use App\Framework\Security\ContentSecurityPolicy\Computer\ResponseNonceComputer;
  9. use App\Framework\Security\ContentSecurityPolicy\DirectivesSet;
  10. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  11. use Symfony\Component\HttpKernel\Event\RequestEvent;
  12. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  13. use Symfony\Component\HttpKernel\HttpKernelInterface;
  15. class ContentSecurityPolicyListener implements EventSubscriberInterface
  16. {
  17.     private DirectivesSet $directiveSet;
  18.     private ?string $nonce null;
  20.     public function __construct(
  21.         private readonly PageScriptCSPComputer $pageScriptCSPComputer
  22.     ) {
  23.         $this->directiveSet = new DirectivesSet();
  24.     }
  26.     public function resetDirectiveSet(): void
  27.     {
  28.         $this->directiveSet = new DirectivesSet();
  29.     }
  31.     public function addCSPHeader(ResponseEvent $event): void
  32.     {
  33.         if (HttpKernelInterface::MAIN_REQUEST !== $event->getRequestType()) {
  34.             return;
  35.         }
  36.         $event->getResponse()->headers->set(
  37.             'Content-Security-Policy',
  38.             $this->directiveSet->buildHeaderValue($this->getNonce())
  39.         );
  40.     }
  42.     public function addNonceToScripts(ResponseEvent $event): void
  43.     {
  44.         $event->setResponse(ResponseNonceComputer::computeNoncesToResponseContent($event->getResponse(), $this->getNonce()));
  45.     }
  47.     public function calculateAddedScripts(RequestEvent $event): void
  48.     {
  49.         if (HttpKernelInterface::MAIN_REQUEST !== $event->getRequestType()) {
  50.             return;
  51.         }
  53.         $hashes $this->pageScriptCSPComputer->computeShaSet();
  54.         $this->directiveSet->addShaSet('script-src'$hashes);
  55.     }
  57.     public function calculateNonce(RequestEvent $event): void
  58.     {
  59.         if (HttpKernelInterface::MAIN_REQUEST !== $event->getRequestType()) {
  60.             return;
  61.         }
  63.         $this->getNonce();
  64.     }
  66.     public function getNonce(): string
  67.     {
  68.         if (null === $this->nonce) {
  69.             $this->nonce base64_encode(random_bytes(16));
  70.         }
  72.         return $this->nonce;
  73.     }
  75.     public static function getSubscribedEvents(): array
  76.     {
  77.         return [
  78.             RequestEvent::class => [
  79.                 ['resetDirectiveSet', -7],
  80.                 ['calculateNonce', -8],
  81.                 ['calculateAddedScripts', -9],
  82.             ],
  83.             ResponseEvent::class => [
  84.                 ['addNonceToScripts'],
  85.                 ['addCSPHeader'1],
  86.             ],
  87.         ];
  88.     }
  89. }