Skip to content

Commit

Permalink
Merge pull request #357 from martijnc/report-to-directive
Browse files Browse the repository at this point in the history 
Add support for the `report-to` directive
  • Loading branch information
@Seldaek
Seldaek authored Sep 23, 2024
2 parents 3c47396 + 2961c8e commit a2be165
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 7 deletions.
3 changes: 3 additions & 0 deletions src/ContentSecurityPolicy/DirectiveSet.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ final class DirectiveSet
public const TYPE_NO_VALUE = 'no-value';
/** @internal */
public const TYPE_SRC_LIST = 'source-list';
/** @internal */
public const TYPE_REPORTING_GROUP = 'reporting-group';

/**
* @var array<string, string>
Expand All @@ -54,6 +56,7 @@ final class DirectiveSet
'report-uri' => self::TYPE_URI_REFERENCE,
'worker-src' => self::TYPE_SRC_LIST,
'prefetch-src' => self::TYPE_SRC_LIST,
'report-to' => self::TYPE_REPORTING_GROUP,
];

/**
Expand Down
1 change: 1 addition & 0 deletions src/ContentSecurityPolicy/PolicyManager.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,7 @@ private function getLevel3(): array
'reflected-xss',
'worker-src',
'prefetch-src',
'report-to',
]);
}

Expand Down
2 changes: 1 addition & 1 deletion src/DependencyInjection/Configuration.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ private function addReportOrEnforceNode(string $reportOrEnforce): ArrayNodeDefin
->then(static function (string $value): array { return [$value]; })
->end()
->end();
} elseif (DirectiveSet::TYPE_URI_REFERENCE === $type) {
} elseif (\in_array($type, [DirectiveSet::TYPE_URI_REFERENCE, DirectiveSet::TYPE_REPORTING_GROUP], true)) {
$children->scalarNode($name)
->end();
} else {
Expand Down
4 changes: 3 additions & 1 deletion src/Resources/doc/index.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,8 @@ scripts or ``eval()`` you can use ``'unsafe-inline'`` and ``'unsafe-eval'``.

Apart from content types, the policy also accepts ``report-uri`` which should be
a URI where a browser can POST a `JSON payload`_ to whenever a policy directive
is violated.
is violated. As of v3.5, a ``report-to`` directive can be included as well to configure a
reporting endpoint (see `Reporting API`_), which is intended to replace the deprecated ``report-uri`` directive.

An optional ``content_types`` key lets you restrict the Content Security Policy
headers only on some HTTP response given their content type.
Expand Down Expand Up @@ -961,3 +962,4 @@ For better security of your site please use ``no-referrer``, ``same-origin``,
.. _`a non-standard nosniff header from Microsoft`: http://msdn.microsoft.com/en-us/library/ie/gg622941.aspx
.. _`a non-standard X-XSS-Protection header from Microsoft`: http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
.. _`referrer policies`: https://www.w3.org/TR/referrer-policy/#referrer-policies
.. _`Reporting API`: https://www.w3.org/TR/reporting-1/
21 changes: 16 additions & 5 deletions tests/ContentSecurityPolicy/DirectiveSetTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,8 @@ public function provideVariousConfig(): array
'style-src style.example.org \'self\'; '.
'upgrade-insecure-requests; '.
'report-uri http://report-uri; '.
'worker-src worker.example.com \'self\'',
'worker-src worker.example.com \'self\'; '.
'report-to csp-endpoint',
self::UA_CHROME,
[
'default-src' => ['example.org', "'self'"],
Expand All @@ -80,6 +81,7 @@ public function provideVariousConfig(): array
'connect-src' => ['connect.example.org', "'self'"],
'worker-src' => ['worker.example.com', "'self'"],
'report-uri' => ['http://report-uri'],
'report-to' => 'csp-endpoint',
'base-uri' => ['base-uri.example.org', "'self'"],
'child-src' => ['child-src.example.org', "'self'"],
'form-action' => ['form-action.example.org', "'self'"],
Expand All @@ -106,7 +108,8 @@ public function provideVariousConfig(): array
'style-src style.example.org \'self\'; '.
'upgrade-insecure-requests; '.
'report-uri http://report-uri; '.
'worker-src worker.example.com \'self\'',
'worker-src worker.example.com \'self\'; '.
'report-to csp-endpoint',
self::UA_FIREFOX,
[
'default-src' => ['example.org', "'self'"],
Expand All @@ -121,6 +124,7 @@ public function provideVariousConfig(): array
'connect-src' => ['connect.example.org', "'self'"],
'worker-src' => ['worker.example.com', "'self'"],
'report-uri' => ['http://report-uri'],
'report-to' => 'csp-endpoint',
'base-uri' => ['base-uri.example.org', "'self'"],
'child-src' => ['child-src.example.org', "'self'"],
'form-action' => ['form-action.example.org', "'self'"],
Expand Down Expand Up @@ -149,7 +153,8 @@ public function provideVariousConfig(): array
'style-src style.example.org \'self\'; '.
'upgrade-insecure-requests; '.
'report-uri http://report-uri; '.
'worker-src worker.example.com \'self\'',
'worker-src worker.example.com \'self\'; '.
'report-to csp-endpoint',
self::UA_IE,
[
'default-src' => ['example.org', "'self'"],
Expand All @@ -163,6 +168,7 @@ public function provideVariousConfig(): array
'connect-src' => ['connect.example.org', "'self'"],
'worker-src' => ['worker.example.com', "'self'"],
'report-uri' => ['http://report-uri'],
'report-to' => 'csp-endpoint',
'base-uri' => ['base-uri.example.org', "'self'"],
'child-src' => ['child-src.example.org', "'self'"],
'form-action' => ['form-action.example.org', "'self'"],
Expand Down Expand Up @@ -192,7 +198,8 @@ public function provideVariousConfig(): array
'style-src style.example.org \'self\'; '.
'upgrade-insecure-requests; '.
'report-uri http://report-uri; '.
'worker-src worker.example.com \'self\'',
'worker-src worker.example.com \'self\'; '.
'report-to csp-endpoint',
self::UA_OPERA,
[
'default-src' => ['example.org', "'self'"],
Expand All @@ -207,6 +214,7 @@ public function provideVariousConfig(): array
'connect-src' => ['connect.example.org', "'self'"],
'worker-src' => ['worker.example.com', "'self'"],
'report-uri' => ['http://report-uri'],
'report-to' => 'csp-endpoint',
'base-uri' => ['base-uri.example.org', "'self'"],
'child-src' => ['child-src.example.org', "'self'"],
'form-action' => ['form-action.example.org', "'self'"],
Expand Down Expand Up @@ -241,6 +249,7 @@ public function provideVariousConfig(): array
'connect-src' => ['connect.example.org', "'self'"],
'worker-src' => ['worker.example.com', "'self'"],
'report-uri' => ['http://report-uri'],
'report-to' => 'csp-endpoint',
'base-uri' => ['base-uri.example.org', "'self'"],
'child-src' => ['child-src.example.org', "'self'"],
'form-action' => ['form-action.example.org', "'self'"],
Expand All @@ -267,7 +276,8 @@ public function provideVariousConfig(): array
'script-src script.example.org \'self\'; '.
'style-src style.example.org \'self\'; '.
'report-uri http://report-uri; '.
'worker-src worker.example.com \'self\'',
'worker-src worker.example.com \'self\'; '.
'report-to csp-endpoint',
self::UA_CHROME,
[
'default-src' => ['example.org', "'self'"],
Expand All @@ -281,6 +291,7 @@ public function provideVariousConfig(): array
'connect-src' => ['connect.example.org', "'self'"],
'worker-src' => ['worker.example.com', "'self'"],
'report-uri' => ['http://report-uri'],
'report-to' => 'csp-endpoint',
'base-uri' => ['base-uri.example.org', "'self'"],
'child-src' => ['child-src.example.org', "'self'"],
'form-action' => ['form-action.example.org', "'self'"],
Expand Down

0 comments on commit a2be165

Please sign in to comment.