Skip to content
This repository was archived by the owner on Jan 30, 2020. It is now read-only.

Commit 9476ebd

Browse files
michalbundyramichalbundyra
committed
Merge branch 'feature/175' into develop
Close #175 Fix #163
2 parents 2c8a252 + 5802ba9 commit 9476ebd

File tree

3 files changed

+90
-8
lines changed

3 files changed

+90
-8
lines changed

CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file, in reverse
66

77
### Added
88

9-
- Nothing.
9+
- [#175](https://github.com/zendframework/zend-http/pull/175) adds support for Content Security Policy Level 3 Header directives.
1010

1111
### Changed
1212

src/Header/ContentSecurityPolicy.php

Lines changed: 28 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
namespace Zend\Http\Header;
99

1010
/**
11-
* Content Security Policy 1.0 Header
11+
* Content Security Policy Level 3 Header
1212
*
1313
* @link http://www.w3.org/TR/CSP/
1414
*/
@@ -21,17 +21,38 @@ class ContentSecurityPolicy implements MultipleHeaderInterface
2121
*/
2222
protected $validDirectiveNames = [
2323
// As per http://www.w3.org/TR/CSP/#directives
24+
// Fetch directives
25+
'child-src',
26+
'connect-src',
2427
'default-src',
25-
'script-src',
26-
'object-src',
27-
'style-src',
28+
'font-src',
29+
'frame-src',
2830
'img-src',
31+
'manifest-src',
2932
'media-src',
30-
'frame-src',
31-
'font-src',
32-
'connect-src',
33+
'object-src',
34+
'prefetch-src',
35+
'script-src',
36+
'script-src-elem',
37+
'script-src-attr',
38+
'style-src',
39+
'style-src-elem',
40+
'style-src-attr',
41+
'worker-src',
42+
43+
// Document directives
44+
'base-uri',
45+
'plugin-types',
3346
'sandbox',
47+
48+
// Navigation directives
49+
'form-action',
50+
'frame-ancestors',
51+
'navigate-to',
52+
53+
// Reporting directives
3454
'report-uri',
55+
'report-to',
3556
];
3657

3758
/**

test/Header/ContentSecurityPolicyTest.php

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -187,4 +187,65 @@ public function testMultiple()
187187
$headers->toString()
188188
);
189189
}
190+
191+
public static function validDirectives()
192+
{
193+
return [
194+
['child-src', ["'self'"],"Content-Security-Policy: child-src 'self';"],
195+
['manifest-src', ["'self'"], "Content-Security-Policy: manifest-src 'self';"],
196+
['worker-src', ["'self'"], "Content-Security-Policy: worker-src 'self';"],
197+
['prefetch-src', ["'self'"], "Content-Security-Policy: prefetch-src 'self';"],
198+
['script-src-elem', ["'self'"], "Content-Security-Policy: script-src-elem 'self';"],
199+
['script-src-attr', ["'self'"], "Content-Security-Policy: script-src-attr 'self';"],
200+
['style-src-elem', ["'self'"], "Content-Security-Policy: style-src-elem 'self';"],
201+
['style-src-attr', ["'self'"], "Content-Security-Policy: style-src-attr 'self';"],
202+
['base-uri', ["'self'", "'unsafe-inline'"], "Content-Security-Policy: base-uri 'self' 'unsafe-inline';"],
203+
['plugin-types', ['text/csv'], 'Content-Security-Policy: plugin-types text/csv;'],
204+
[
205+
'form-action',
206+
['http://*.example.com', "'self'"],
207+
"Content-Security-Policy: form-action http://*.example.com 'self';"
208+
],
209+
[
210+
'frame-ancestors',
211+
['http://*.example.com', "'self'"],
212+
"Content-Security-Policy: frame-ancestors http://*.example.com 'self';"
213+
],
214+
['navigate-to', ['example.com'], 'Content-Security-Policy: navigate-to example.com;'],
215+
['sandbox', ['allow-forms'], 'Content-Security-Policy: sandbox allow-forms;'],
216+
];
217+
}
218+
219+
/**
220+
* @dataProvider validDirectives
221+
*
222+
* @param string $directive
223+
* @param string[] $values
224+
* @param string $expected
225+
*/
226+
public function testContentSecurityPolicySetDirectiveThrowsExceptionIfMissingDirectiveNameGiven(
227+
$directive,
228+
array $values,
229+
$expected
230+
) {
231+
$csp = new ContentSecurityPolicy();
232+
$csp->setDirective($directive, $values);
233+
234+
self::assertSame($expected, $csp->toString());
235+
}
236+
237+
/**
238+
* @dataProvider validDirectives
239+
*
240+
* @param string $directive
241+
* @param string[] $values
242+
* @param string $header
243+
*/
244+
public function testFromString($directive, array $values, $header)
245+
{
246+
$contentSecurityPolicy = ContentSecurityPolicy::fromString($header);
247+
248+
self::assertArrayHasKey($directive, $contentSecurityPolicy->getDirectives());
249+
self::assertSame(implode(' ', $values), $contentSecurityPolicy->getDirectives()[$directive]);
250+
}
190251
}

0 commit comments

Comments
 (0)