grzanieplus.pl/plugins/stSecurityPlugin/lib/stSecurity.class.php

<?php 
class stSecurity
{
    protected static $ssl = null;

    protected static $host = null;

    protected static $uri = null;

    protected static $defaultSrc = array(
        'https://facebook.com',
        'https://mapa.ecommerce.poczta-polska.pl',
        'https://www.paypal.com',
        'https://www.paypalobjects.com',
        'https://*.easypack24.net',
        'https://*.openstreetmap.org',
        'https://*.inpost.pl',
        'https://*.allegrostatic.com',
        'https://allegro.pl',
        'https://*.allegro.pl',
        'https://*.allegroimg.com',
        'https://*.allegrosandbox.pl',
        'https://*.sote.pl',
        'https://*.googletagmanager.com',
        'https://*.facebook.net',
        'https://*.facebook.com',
        'https://*.google-analytics.com',
        'https://*.google.com',
        'https://*.google.pl',
        'https://unpkg.com',
        'https://api.mapbox.com',
        'https://maxcdn.bootstrapcdn.com',
        'https://cdn.jsdelivr.net',
        'https://stats.g.doubleclick.net',
        "https://stats.g.doubleclick.net", 
        "*.gstatic.com", 
        "*.googleapis.com", 
        "*.youtube.com", 
        "*.vimeo.com", 
        "*.ytimg.com", 
        "*.soundcloud.com", 
        "*.vimeocdn.com", 
        "*.smartsupp.com", 
        "*.smartsuppcdn.com",
        "wss://*.smartsupp.com", 
        "*.cdn77.org", 
        "smartsupp-widget-161959.c.cdn77.org", 
        "*.smartlook.com", 
        "*.smartlook.cloud", 
        "*.smartsuppchat.com", 
        "*.addthis.com", 
        "*.addthisedge.com", 
        "*.facebook.com", 
        "*.facebook.net", 
        "*.fbcdn.net", 
        "*.instagram.com",
        "*.cdninstagram.com",
        "*.googletagmanager.com",
        "*.google-analytics.com",
        "*.paypalobjects.com",
        "*.paypal.com"
    );

    /**
     * Dodaje wyjątek CSP
     *
     * @param string $url
     * @return void
     */
    public static function addCSPException($url, $type = 'src')
    {
        $exceptions = self::getCSPExceptions();

        $exceptions[] = $url;

        sfConfig::set('app_st_security_csp_exceptions_'.$type, $exceptions);
    }

    public static function getCSPExceptions($type = 'src')
    {
        return sfConfig::get('app_st_security_csp_exceptions_'.$type, array());
    }

    public static function hasSSL()
    {
        return self::getSSL() !== false;
    }

    /**
     * Pobiera dostępne opcje SSL
     *
     * @return array
     */
    public static function getSSLOptions()
    {
        $i18n = sfContext::getInstance()->getI18N();
        return array(
            "" => $i18n->__("Wyłączony", null, "stSecurityBackend"), 
            "shop" => $i18n->__("Dla całego sklepu", null, "stSecurityBackend"),  
            "order" => $i18n->__("Dla procesu zamówienia i konta klienta", null, "stSecurityBackend"), 
        ); 
    }

    public static function addSecurityHeaders()
    {
        $response = sfContext::getInstance()->getResponse();

        $config = stConfig::getInstance('stSecurityBackend');
        
        if ($config->get('csp'))
        {           
            $srcException = str_replace(array("\n", "\r"), " ", $config->get('csp_src_exception')) . " " . implode(" ", array_merge(self::$defaultSrc, self::getCSPExceptions()));
            $frameException = $config->get('csp_frame_exception');
            $response->setHttpHeader('Content-Security-Policy', "default-src 'self' 'unsafe-inline' 'unsafe-eval' $srcException data:; form-action 'self' $srcException; frame-ancestors 'self' $frameException");
        }

        $response->setHttpHeader('X-Content-Type-Options', 'nosniff');
        $response->setHttpHeader('Referrer-Policy', 'strict-origin-when-cross-origin');   
    }

    public static function getSSL($host = null)
    {
        if (null === self::$ssl)
        {
            $config = stConfig::getInstance('stSecurityBackend');

            if ($config->get('ssl'))
            {            
                $host = self::getHost();
                $uri = self::getUri();
                $ssl = $config->get('ssl') === '1' ? 'order' : $config->get('ssl');

                if ($ssl == 'order' && !in_array($host, $config->get('ssl_ignore_hosts', array())) || $ssl == 'shop' && !in_array($host, $config->get('ssl_ignore_hosts', array())) && !self::sslIgnoreUri($uri))
                {
                    self::$ssl = $ssl;
                }
                else
                {
                    $config->set('ssl', false);
                    self::$ssl = false;
                }
            }  
            else
            {
                self::$ssl = false;
            }
        }   

        return self::$ssl;   
    }

    public static function setHost($host)
    {
        self::$host = $host;
    }

    public static function setUri($uri)
    {
        self::$uri = $uri;
    }

    protected static function sslIgnoreUri($uri)
    {
        $ignore = false;

        foreach (stConfig::getInstance('stSecurityBackend')->get('ssl_ignore_uri', array()) as $current) 
        {
            if (strpos($uri, $current) !== false)
            {
                $ignore = true;
            }
        }
        
        return $ignore;      
    }

    protected static function getUri()
    {
        return null !== self::$uri ? self::$uri : $_SERVER['REQUEST_URI'];
    }

    protected static function getHost()
    {
        return null !== self::$host ? (function_exists('idn_to_utf8') ? idn_to_utf8($host) : $host) : $_SERVER['HTTP_HOST'];
    }
}
?>