From 6b61e3c4f99b220f15d8cff7f23ac34a84c8b5be Mon Sep 17 00:00:00 2001 From: kenjis Date: Wed, 29 Jun 2022 16:50:25 +0900 Subject: [PATCH] fix: CSR reportOnly behavior --- system/HTTP/ContentSecurityPolicy.php | 10 ++++++---- tests/system/HTTP/ContentSecurityPolicyTest.php | 7 ++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index ff2ee3111ebe..36292621397e 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -776,7 +776,7 @@ protected function buildHeaders(ResponseInterface $response) protected function addToHeader(string $name, $values = null) { if (is_string($values)) { - $values = [$values => 0]; + $values = [$values => $this->reportOnly]; } $sources = []; @@ -785,13 +785,15 @@ protected function addToHeader(string $name, $values = null) foreach ($values as $value => $reportOnly) { if (is_numeric($value) && is_string($reportOnly) && ! empty($reportOnly)) { $value = $reportOnly; - $reportOnly = 0; + $reportOnly = $this->reportOnly; + } + + if (strpos($value, 'nonce-') === 0) { + $value = "'{$value}'"; } if ($reportOnly === true) { $reportSources[] = in_array($value, $this->validSources, true) ? "'{$value}'" : $value; - } elseif (strpos($value, 'nonce-') === 0) { - $sources[] = "'{$value}'"; } else { $sources[] = in_array($value, $this->validSources, true) ? "'{$value}'" : $value; } diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php index b685e0ac29e7..7e41c9a0d4a5 100644 --- a/tests/system/HTTP/ContentSecurityPolicyTest.php +++ b/tests/system/HTTP/ContentSecurityPolicyTest.php @@ -132,7 +132,7 @@ public function testConnectSrc() $result = $this->work(); $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only'); - $this->assertStringContainsString('connect-src iffy.com maybe.com;', $result); + $this->assertStringContainsString("connect-src 'self' iffy.com maybe.com;", $result); } /** @@ -165,9 +165,10 @@ public function testFormAction() $result = $this->work(); $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only'); - $this->assertStringContainsString('form-action surveysrus.com;', $result); + $this->assertStringContainsString("form-action 'self' surveysrus.com;", $result); + $result = $this->getHeaderEmitted('Content-Security-Policy'); - $this->assertStringContainsString("form-action 'self';", $result); + $this->assertStringNotContainsString("form-action 'self';", $result); } /**