vendor/shopware/core/Framework/Routing/CoreSubscriber.php line 45

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\Routing;
  5. use Shopware\Core\Framework\Log\Package;
  6. use Shopware\Core\Framework\Routing\Annotation\RouteScope as RouteScopeAnnotation;
  7. use Shopware\Core\PlatformRequest;
  8. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  9. use Symfony\Component\HttpKernel\Event\RequestEvent;
  10. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  11. use Symfony\Component\HttpKernel\KernelEvents;
  13. /**
  14. * @deprecated tag:v6.5.0 - reason:becomes-internal - EventSubscribers will become internal in v6.5.0
  15. */
  16. #[Package('core')]
  17. class CoreSubscriber implements EventSubscriberInterface
  18. {
  19. /**
  20. * @var array<string>
  21. */
  22. private array $cspTemplates;
  24. /**
  25. * @internal
  26. *
  27. * @param array<string> $cspTemplates
  28. */
  29. public function __construct(array $cspTemplates)
  30. {
  31. $this->cspTemplates = $cspTemplates;
  32. }
  34. /**
  35. * @return array<string, string|array{0: string, 1: int}|list<array{0: string, 1?: int}>>
  36. */
  37. public static function getSubscribedEvents()
  38. {
  39. return [
  40. KernelEvents::REQUEST => 'initializeCspNonce',
  41. KernelEvents::RESPONSE => 'setSecurityHeaders',
  42. ];
  43. }
  45. public function initializeCspNonce(RequestEvent $event): void
  46. {
  47. $nonce = base64_encode(random_bytes(8));
  48. $event->getRequest()->attributes->set(PlatformRequest::ATTRIBUTE_CSP_NONCE, $nonce);
  49. }
  51. public function setSecurityHeaders(ResponseEvent $event): void
  52. {
  53. if (!$event->getResponse()->isSuccessful()) {
  54. return;
  55. }
  57. $response = $event->getResponse();
  58. if ($event->getRequest()->isSecure()) {
  59. $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
  60. }
  61. $response->headers->set('X-Frame-Options', 'deny');
  62. $response->headers->set('X-Content-Type-Options', 'nosniff');
  63. $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
  65. $cspTemplate = $this->cspTemplates['default'] ?? '';
  67. $scopes = $event->getRequest()->attributes->get(PlatformRequest::ATTRIBUTE_ROUTE_SCOPE, []);
  68. if ($scopes instanceof RouteScopeAnnotation) {
  69. $scopes = $scopes->getScopes();
  70. }
  72. foreach ($scopes as $scope) {
  73. $cspTemplate = $this->cspTemplates[$scope] ?? $cspTemplate;
  74. }
  76. $cspTemplate = trim($cspTemplate);
  77. if ($cspTemplate !== '' && !$response->headers->has('Content-Security-Policy')) {
  78. $nonce = $event->getRequest()->attributes->get(PlatformRequest::ATTRIBUTE_CSP_NONCE);
  80. if (\is_string($nonce)) {
  81. $csp = str_replace('%nonce%', $nonce, $cspTemplate);
  82. $csp = str_replace(["\n", "\r"], ' ', $csp);
  83. $response->headers->set('Content-Security-Policy', $csp);
  84. }
  85. }
  86. }
  87. }