lkoudal · May 24, 2023 00:27
diff --git a/WpCsp.php b/WpCsp.php
 <?php

 class WpCsp {


    public function register(): void
    {

        add_filter('script_loader_tag', [$this, 'filter_script_loader_tag'], 3, 50);
        add_filter('wp_inline_script_attributes', [$this, 'action_wp_inline_script_attributes']);
        add_filter('wp_script_attributes', [$this, 'action_wp_script_attributes']);
        add_filter('wp_headers', [$this, 'action_wp_headers'], 1, 50);
    }

    public function action_wp_headers(): array
    {
        $nonce = $this->nonce();

        $headers['X-Frame-Options'] = 'DENY';
        $headers['X-Content-Type-Options'] = 'nosniff';
        $headers['Referrer-Policy'] = 'strict-origin-when-cross-origin';
        $headers['Strict-Transport-Security'] = 'max-age=63072000; includeSubDomains; preload';
        $headers['Access-Control-Allow-Origin'] = WP_SITEURL;
        $headers['Content-Security-Policy'] = preg_replace('/\n\s+/', " ", "
            default-src 'self';
            script-src  'self' 'nonce-$nonce;
            style-src 'self' 'nonce-$nonce';
            object-src 'none';
            base-uri 'self';
            connect-src 'self';
            font-src 'self';
            frame-src 'self';
            img-src 'self';
            manifest-src 'self';
            media-src 'self';
            worker-src 'none';
        ");
        $headers['Cross-Origin-Opener-Policy'] = 'same-origin';
        $headers['Cross-Origin-Resource-Policy'] = 'same-site';
        $headers['Cross-Origin-Embedder-Policy'] = 'require-corp';
        $headers['X-Powered-By'] = 'Ponies';

        return $headers;
    }

    public function action_wp_inline_script_attributes(array $attributes): array
    {
        return $this->addNonceAttribute($attributes);
    }

    public function action_wp_script_attributes(array $attributes): array
    {
        return $this->addNonceAttribute($attributes);
    }

    public function filter_script_loader_tag(string $tag, string $handle, string $src): string
    {
        $attributes = $this->parseAttributes($tag);
        $attributes = $this->addNonceAttribute($attributes);

        $pairedStrings = [];
        foreach ($attributes as $key => $value) {
            $pairs[] = "$key=\"$value\"";
        }
        $combined = implode(" ", $pairedStrings);
        return "<script $combined>";
    }

    public function parseAttributes(string $tag): array
    {
        $matches = []; 
        preg_match_all(
            '/(\S+)=["\']?((?:.(?!["\']?\s+(?:\S+)=|\s*\/?[>"\']))+.)["\']?/',
            $tag,
            $matches
        );

        $keyValues = [];
        foreach ($matches as $match) {
            $keyValue[$match[1]] = $match[2];
        }
        return $keyValues;
    }

    public function addNonceAttribute(array $attributes): array 
    {
        if (!($attributes['nonce'] ?? false)) {
            $attributes['nonce'] = $this->nonce();
        }

        return $attributes;
    }

    public function nonce(): string
    {
        if($this->nonce ?? false) {
            return $this->nonce;
        }

        $this->nonce = base64_encode(random_bytes(20));

        return $this->nonce;
    }


 }
	<?php

	class WpCsp {


	public function register(): void
	{

	add_filter('script_loader_tag', [$this, 'filter_script_loader_tag'], 3, 50);
	add_filter('wp_inline_script_attributes', [$this, 'action_wp_inline_script_attributes']);
	add_filter('wp_script_attributes', [$this, 'action_wp_script_attributes']);
	add_filter('wp_headers', [$this, 'action_wp_headers'], 1, 50);
	}

	public function action_wp_headers(): array
	{
	$nonce = $this->nonce();

	$headers['X-Frame-Options'] = 'DENY';
	$headers['X-Content-Type-Options'] = 'nosniff';
	$headers['Referrer-Policy'] = 'strict-origin-when-cross-origin';
	$headers['Strict-Transport-Security'] = 'max-age=63072000; includeSubDomains; preload';
	$headers['Access-Control-Allow-Origin'] = WP_SITEURL;
	$headers['Content-Security-Policy'] = preg_replace('/\n\s+/', " ", "
	default-src 'self';
	script-src 'self' 'nonce-$nonce;
	style-src 'self' 'nonce-$nonce';
	object-src 'none';
	base-uri 'self';
	connect-src 'self';
	font-src 'self';
	frame-src 'self';
	img-src 'self';
	manifest-src 'self';
	media-src 'self';
	worker-src 'none';
	");
	$headers['Cross-Origin-Opener-Policy'] = 'same-origin';
	$headers['Cross-Origin-Resource-Policy'] = 'same-site';
	$headers['Cross-Origin-Embedder-Policy'] = 'require-corp';
	$headers['X-Powered-By'] = 'Ponies';

	return $headers;
	}

	public function action_wp_inline_script_attributes(array $attributes): array
	{
	return $this->addNonceAttribute($attributes);
	}

	public function action_wp_script_attributes(array $attributes): array
	{
	return $this->addNonceAttribute($attributes);
	}

	public function filter_script_loader_tag(string $tag, string $handle, string $src): string
	{
	$attributes = $this->parseAttributes($tag);
	$attributes = $this->addNonceAttribute($attributes);

	$pairedStrings = [];
	foreach ($attributes as $key => $value) {
	$pairs[] = "$key=\"$value\"";
	}
	$combined = implode(" ", $pairedStrings);
	return "<script $combined>";
	}

	public function parseAttributes(string $tag): array
	{
	$matches = [];
	preg_match_all(
	'/(\S+)=["\']?((?:.(?!["\']?\s+(?:\S+)=\|\s*\/?[>"\']))+.)["\']?/',
	$tag,
	$matches
	);

	$keyValues = [];
	foreach ($matches as $match) {
	$keyValue[$match[1]] = $match[2];
	}
	return $keyValues;
	}

	public function addNonceAttribute(array $attributes): array
	{
	if (!($attributes['nonce'] ?? false)) {
	$attributes['nonce'] = $this->nonce();
	}

	return $attributes;
	}

	public function nonce(): string
	{
	if($this->nonce ?? false) {
	return $this->nonce;
	}

	$this->nonce = base64_encode(random_bytes(20));

	return $this->nonce;
	}


	}