From 0e2f0a2f2843cc57f4218ab588557edff5230972 Mon Sep 17 00:00:00 2001 From: Gilles Dubuc Date: Fri, 22 Mar 2019 06:43:30 +0100 Subject: [PATCH] Reporting API and Feature Policy reporting support These are experimental APIs that lets one report policy violations: https://www.w3.org/TR/reporting/ https://github.com/w3c/webappsec-feature-policy/blob/master/reporting.md Bug: T209572 Change-Id: I002e7802000ec37b3320d8ae761cc1888d4f6edb --- includes/DefaultSettings.php | 37 +++++++++++++++++++++++++++++--- includes/OutputPage.php | 41 ++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 3 deletions(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 828af495a4..4547009b5c 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -8996,7 +8996,7 @@ $wgEnableBlockNoticeStats = false; /** * Origin Trials tokens. * - * @since 1.34 + * @since 1.33 * @var array */ $wgOriginTrials = []; @@ -9006,7 +9006,7 @@ $wgOriginTrials = []; * * @warning EXPERIMENTAL! * - * @since 1.34 + * @since 1.33 * @var bool */ $wgPriorityHints = false; @@ -9016,11 +9016,42 @@ $wgPriorityHints = false; * * @warning EXPERIMENTAL! * - * @since 1.34 + * @since 1.33 * @var bool */ $wgElementTiming = false; +/** + * Expiry of the endpoint definition for the Reporting API. + * + * @warning EXPERIMENTAL! + * + * @since 1.34 + * @var int + */ +$wgReportToExpiry = 86400; + +/** + * List of endpoints for the Reporting API. + * + * @warning EXPERIMENTAL! + * + * @since 1.34 + * @var array + */ +$wgReportToEndpoints = []; + +/** + * List of Feature Policy Reporting types to enable. + * Each entry is turned into a Feature-Policy-Report-Only header. + * + * @warning EXPERIMENTAL! + * + * @since 1.34 + * @var array + */ +$wgFeaturePolicyReportOnly = []; + /** * For really cool vim folding this needs to be at the end: * vim: foldmarker=@{,@} foldmethod=marker diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 1da8ac80bc..859593b122 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -2527,6 +2527,37 @@ class OutputPage extends ContextSource { return $config->get( 'OriginTrials' ); } + private function getReportTo() { + $config = $this->getConfig(); + + $expiry = $config->get( 'ReportToExpiry' ); + + if ( !$expiry ) { + return false; + } + + $endpoints = $config->get( 'ReportToEndpoints' ); + + if ( !$endpoints ) { + return false; + } + + $output = [ 'max_age' => $expiry, 'endpoints' => [] ]; + + foreach ( $endpoints as $endpoint ) { + $output['endpoints'][] = [ 'url' => $endpoint ]; + } + + return json_encode( $output, JSON_UNESCAPED_SLASHES ); + } + + private function getFeaturePolicyReportOnly() { + $config = $this->getConfig(); + + $features = $config->get( 'FeaturePolicyReportOnly' ); + return implode( ';', $features ); + } + /** * Send cache control HTTP headers */ @@ -2694,6 +2725,16 @@ class OutputPage extends ContextSource { $response->header( "Origin-Trial: $originTrial", false ); } + $reportTo = $this->getReportTo(); + if ( $reportTo ) { + $response->header( "Report-To: $reportTo" ); + } + + $featurePolicyReportOnly = $this->getFeaturePolicyReportOnly(); + if ( $featurePolicyReportOnly ) { + $response->header( "Feature-Policy-Report-Only: $featurePolicyReportOnly" ); + } + ContentSecurityPolicy::sendHeaders( $this ); if ( $this->mArticleBodyOnly ) { -- 2.20.1