承接 mazedlx/laravel-feature-policy 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

mazedlx/laravel-feature-policy

Composer 安装命令:

composer require mazedlx/laravel-feature-policy

包简介

Add Feature-Policy headers to the responses of a Laravel app

README 文档

README

Latest Version on Packagist Tests Analyse and format Total Downloads

The Permissions-Policy, which previously was known as the Feature-Policy. But since it came out of draft, it was renamed to "Permissions-Policy".
The "Permissions-Policy" is an HTTP header which can be used to restrict the abilities of a browser.

Where the Content-Security-Policy focuses on security, the "Permissions-Policy" focuses on allowing or disabling the abilities of the browser.
This can be done though the HTTP header, which this package focuses on, but it can also do this through the allows attribute on the iframe element.

iframe example
<iframe width="643" height="360" frameborder="0" allow="autoplay; fullscreen" allowfullscreen></iframe>

More on the header itself can be found on the following sites.

Installation

Laravel 10 users should use v2.0 or newer, otherwise stick to v1.3

The package can be installed though composer:

$ composer require mazedlx/laravel-feature-policy

After which the config file needs to be published:

$ php artisan vendor:publish --provider="Mazedlx\FeaturePolicy\FeaturePolicyServiceProvider" --tag="config"

Which looks like this:

Config file
<?php

return [
    /*
     * A policy will determine which "Permissions-Policy" headers will be set.
     * A valid policy extends `Mazedlx\FeaturePolicy\Policies\Policy`
     */
    'policy' => Mazedlx\FeaturePolicy\Policies\Basic::class,

    /*
     * "Feature-Policy" headers will only be added if this is set to true
     */
    'enabled' => env('FPH_ENABLED', true),
];

Middleware

You can add "Feature-Policy" headers to all responses by registering Mazedlx\FeaturePolicy\AddFeaturePolicyHeaders::class in the HTTP kernel:

Middleware example
// app/Http/Kernel.php

...

protected $middlewareGroups = [
    'web' => [
        ...
        \Mazedlx\FeaturePolicy\AddFeaturePolicyHeaders::class,
    ]
];

Alternatively you can add the middleware to a single route and route group:

Route example
// in a routes file
use App\Http\Controllers\HomeController;
use Mazedlx\FeaturePolicy\AddFeaturePolicyHeaders;

Route::get('/home', HomeController::class)
    ->middleware(AddFeaturePolicyHeaders::class);

You could even pass a policy as a parameter and override the policy specified in the config file:

// in a routes file
use App\Http\Controllers\HomeController;
use Mazedlx\FeaturePolicy\AddFeaturePolicyHeaders;

Route::get('/home', HomeController::class)
    ->middleware(AddFeaturePolicyHeaders::class . ':' . MyFeaturePolicy::class);

Usage

This package allows you to configure the policies that end up in the "Permissions-Policy" header.

This policy determines which directives will be set in the "Permissions-Policy" header of the response.

It uses the following syntax;

Feature-Policy: <directive> <allowlist>

An example of a "Permissions-Policy" directive is microphone:

Permissions-Policy: microphone=(self "https://spatie.be")

In the above example by specifying microphone and allowing it for self makes the permission disabled for all origins except our own and https://spatie.be.

The current list of directives can be found here. Some of these are:

  • accelerometer
  • ambient-light-sensor
  • autoplay
  • camera
  • encrypted-media
  • fullscreen
  • geolocation
  • gyroscope
  • magnetometer
  • microphone
  • midi
  • payment
  • picture-in-picture
  • speaker
  • usb
  • vr

You can add multiple policy options as an array or as a single string with space-separated options:

// in a policy
...
    ->addDirective(Directive::CAMERA, [
        Value::SELF,
        'spatie.be',
    ])
    ->addDirective(Directive::GYROSCOPE, 'self spatie.be')
...

Creating Policies

The policy key of the feature-policy config file is set to Mazedlx\FeaturePolicy\Policies\Basic::class by default, which allows your site to use a few of the available features. The class looks like this:

Basic policy
<?php

namespace Mazedlx\FeaturePolicy\Policies;

use Mazedlx\FeaturePolicy\Value;
use Mazedlx\FeaturePolicy\Directive;

class Basic extends Policy
{
    public function configure()
    {
        $this->addDirective(Directive::GEOLOCATION, Value::SELF)
            ->addDirective(Directive::FULLSCREEN, Value::SELF);
    }
}

Let's say you're happy with allowing geolocation and fullscreen but also wanted to add www.awesomesite.com to gain access to this feature, then you can easily extend the class:

MyFeature policy
<?php

namespace App\Services\FeaturePolicy\Policies;

use Mazedlx\FeaturePolicy\Directive;
use Mazedlx\FeaturePolicy\Policies\Basic;

class MyFeaturePolicy extends Basic
{
    public function configure()
    {
        parent::configure();

        $this->addDirective(Directive::GEOLOCATION, 'www.awesomesite.com')
            ->addDirective(Directive::FULLSCREEN, 'www.awesomesite.com');
    }
}

Don't forget to change the policy key in the feature-policy config file to the class name fo your policy (e.g. App\Services\Policies\MyFeaturePolicy).

Testing

You can run all tests with:

$ composer test

Changelog

Please see CHANGELOG for more information what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Contributers

Made with contrib.rocks.

Security

If you discover any security related issues please email mazedlx@gmail.com instead of using the issue tracker.

Credits

This package is strongly inspired by Spatie laravel-csp package. Thanks to Freek van der Herten and Thomas Verhelst for creating such an awesome package and doing all the heavy lifting!

Support

If you like this package please feel free to star it.

License

The MIT License (MIT). Please see LICENSE for more information.

mazedlx/laravel-feature-policy 适用场景与选型建议

mazedlx/laravel-feature-policy 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 194.09k 次下载、GitHub Stars 达 17, 最近一次更新时间为 2018 年 08 月 28 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「headers」 「laravel」 「feature-policy」 「laravel-feature-policy」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 mazedlx/laravel-feature-policy 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 mazedlx/laravel-feature-policy 我们能提供哪些服务?
定制开发 / 二次开发

基于 mazedlx/laravel-feature-policy 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 194.09k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 17
  • 点击次数: 20
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 17
  • Watchers: 2
  • Forks: 8
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2018-08-28