introduce nonce store

aidantwoods · Dec 10, 2016 · 6c8261f · 6c8261f
1 parent 02ea7a6
commit 6c8261f
Showing 1 changed file with 45 additions and 2 deletions.
diff --git a/SecureHeaders.php b/SecureHeaders.php
@@ -37,6 +37,7 @@ class SecureHeaders{
     protected $error_reporting = true;
 
     protected $csp_legacy = false;
+    protected $return_existing_nonce = true;
 
     protected $strict_mode = false;
 
@@ -120,6 +121,11 @@ public function strict_mode($mode = true)
         }
     }
 
+    public function return_existing_nonce($mode = true)
+    {
+        $this->return_existing_nonce = ($mode == true);
+    }
+
     public function auto($mode = self::AUTO_ALL)
     {
         $this->assert_types(array('int' => array($mode)));
@@ -534,11 +540,26 @@ public function csp_nonce($friendly_directive, $report_only = null)
     {
         $this->assert_types(array('string' => array($friendly_directive)));
 
+        $report_only = ($report_only == true);
+
+        $nonce_store = &$this->csp_nonces[
+            ($report_only ? 'report_only' : 'enforced')
+        ];
+
+        $directive = $this->long_directive($friendly_directive);
+
+        if ($this->return_existing_nonce and isset($nonce_store[$directive]))
+        {
+            return $nonce_store[$directive];
+        }
+
         $nonce = $this->csp_generate_nonce();
 
         $nonce_string = "'nonce-$nonce'";
 
-        $this->csp_allow($friendly_directive, $nonce_string, $report_only);
+        $this->add_csp_source($directive, $nonce_string, $report_only);
+
+        $nonce_store[$directive] = $nonce;
 
         return $nonce;
     }
@@ -1226,6 +1247,17 @@ private function csp_allow(
             array('string' => array($friendly_directive, $friendly_source))
         );
 
+        $directive = $this->long_directive($friendly_directive);
+
+        $source = $this->long_source($friendly_source);
+
+        $this->add_csp_source($directive, $source, $report_only);
+    }
+
+    private function long_directive($friendly_directive)
+    {
+        $this->assert_types(array('string' => array($friendly_directive)));
+
         $friendly_directive = strtolower($friendly_directive);
 
         if (isset($this->csp_directive_shortcuts[$friendly_directive]))
@@ -1237,6 +1269,13 @@ private function csp_allow(
             $directive = $friendly_directive;
         }
 
+        return $directive;
+    }
+
+    private function long_source($friendly_source)
+    {
+        $this->assert_types(array('string' => array($friendly_source)));
+
         $lower_friendly_source = strtolower($friendly_source);
 
         if (isset($this->csp_source_shortcuts[$lower_friendly_source]))
@@ -1248,7 +1287,7 @@ private function csp_allow(
             $source = $friendly_source;
         }
 
-        $this->add_csp_source($directive, $source, $report_only);
+        return $source;
     }
 
     private function add_csp_source(
@@ -2089,6 +2128,10 @@ private function report_missing_headers()
 
     private $csp                = array();
     private $csp_ro             = array();
+    private $csp_nonces         = array(
+        'enforced' => array(),
+        'report_only' => array()
+    );
 
     private $hsts               = array();