<?php
namespace Juki\Bundle\AppBundle\EventListener;
use Doctrine\ORM\EntityManagerInterface;
use Hitso\Bundle\CommonBundle\Helper\Request\RequestHelper;
use Hitso\Bundle\SeoBundle\Entity\SeoPage;
use Hitso\Bundle\SeoBundle\Service\SeoPagesManager;
use Symfony\Cmf\Bundle\SeoBundle\SeoPresentationInterface;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ControllerEvent;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
class ResponseSubscriber implements EventSubscriberInterface
{
/**
* @var SeoPresentationInterface
*/
private $seoPresentation;
/**
* @var string The key to look up the content in the request attributes
*/
private $seoPagesManager;
/**
* @var EntityManagerInterface
*/
private $entityManager;
/**
* @var array
*/
private $seoPages;
private $requestHelper;
public function __construct(
SeoPresentationInterface $seoPresentation,
EntityManagerInterface $entityManager,
SeoPagesManager $seoPagesManager,
RequestHelper $requestHelper
) {
$this->seoPresentation = $seoPresentation;
$this->entityManager = $entityManager;
$this->seoPagesManager = $seoPagesManager;
$this->requestHelper = $requestHelper;
}
public static function getSubscribedEvents()
{
// return [];
return [
KernelEvents::RESPONSE => ['onKernelResponse', 0],
];
}
public function onKernelResponse(ResponseEvent $event)
{
$request = $event->getRequest();
$site = $request->get('_site', null);
if ($site !== 'admin') {
$response = $event->getResponse();
// Policy generator - https://report-uri.com/home/generate
// $policy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.googleapis.com unpkg.com *.google-analytics.com; script-src-elem; script-src-attr; style-src 'self' 'unsafe-inline' *.googleapis.com; style-src-elem; style-src-attr; img-src 'self' data: *.gstatic.com *.googleapis.com *.google.com *.google-analytics.com *.ytimg.com; font-src 'self' *.gstatic.com; connect-src *.google-analytics.com; media-src; object-src; prefetch-src; child-src; frame-src 'self' youtube.com www.youtube.com youtu.be *.novitus.pl; worker-src; frame-ancestors; form-action; base-uri; manifest-src; plugin-types; report-uri; report-to";
$policies = [];
$policies[] = "default-src 'self'";
$policies[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.googleapis.com unpkg.com *.google-analytics.com *.google.com *.gstatic.com";
$policies[] = "connect-src 'self' *.googleapis.com *.google-analytics.com";
$policies[] = "style-src 'self' 'unsafe-inline' *.googleapis.com";
$policies[] = "img-src 'self' blob: data: *.gstatic.com *.googleapis.com *.google.com *.google-analytics.com *.ytimg.com";
$policies[] = "font-src 'self' *.gstatic.com";
$policies[] = "frame-src 'self' youtube.com www.youtube.com youtu.be *.novitus.pl *.google.com";
$response->headers->set('Content-Security-Policy', implode('; ', $policies));
$response->headers->set('Strict-Transport-Security', 'max-age=2592000; includeSubDomains');
$response->headers->set('X-Content-Type-Options', 'nosniff');
$response->headers->set('X-XSS-Protection', '1; mode=block');
}
}
}