Merge pull request #6201 from kenjis/fix-csp-reportOnly

kenjis · web-flow · commit 516e7dd98e02 · 2022-07-02T08:20:24.000+09:00
fix: CSP reportOnly behavior
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
@@ -776,7 +776,7 @@ protected function buildHeaders(ResponseInterface $response)
     protected function addToHeader(string $name, $values = null)
     {
         if (is_string($values)) {
-            $values = [$values => 0];
+            $values = [$values => $this->reportOnly];
         }
 
         $sources       = [];
@@ -785,13 +785,15 @@ protected function addToHeader(string $name, $values = null)
         foreach ($values as $value => $reportOnly) {
             if (is_numeric($value) && is_string($reportOnly) && ! empty($reportOnly)) {
                 $value      = $reportOnly;
-                $reportOnly = 0;
+                $reportOnly = $this->reportOnly;
+            }
+
+            if (strpos($value, 'nonce-') === 0) {
+                $value = "'{$value}'";
             }
 
             if ($reportOnly === true) {
                 $reportSources[] = in_array($value, $this->validSources, true) ? "'{$value}'" : $value;
-            } elseif (strpos($value, 'nonce-') === 0) {
-                $sources[] = "'{$value}'";
             } else {
                 $sources[] = in_array($value, $this->validSources, true) ? "'{$value}'" : $value;
             }
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -132,7 +132,7 @@ public function testConnectSrc()
         $result = $this->work();
 
         $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('connect-src iffy.com maybe.com;', $result);
+        $this->assertStringContainsString("connect-src 'self' iffy.com maybe.com;", $result);
     }
 
     /**
@@ -165,9 +165,10 @@ public function testFormAction()
         $result = $this->work();
 
         $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('form-action surveysrus.com;', $result);
+        $this->assertStringContainsString("form-action 'self' surveysrus.com;", $result);
+
         $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("form-action 'self';", $result);
+        $this->assertStringNotContainsString("form-action 'self';", $result);
     }
 
     /**
