HttpExtension: allows bools in CSP policy

Author: dg

src/Bridges/HttpDI/HttpExtension.php

@@ -127,8 +127,12 @@ private static function buildValue(array $config): string
 		static $nonQuoted = ['require-sri-for' => 1, 'sandbox' => 1];
 		$value = '';
 		foreach ($config as $type => $policy) {
+			if ($policy === false) {
+				continue;
+			}
+			$policy = $policy === true ? [] : (array) $policy;
 			$value .= $type;
-			foreach ((array) $policy as $item) {
+			foreach ($policy as $item) {
 				$value .= !isset($nonQuoted[$type]) && preg_match('#^[a-z-]+\z#', $item) ? " '$item'" : " $item";
 			}
 			$value .= '; ';

tests/Http.DI/HttpExtension.csp.phpt

@@ -37,6 +37,8 @@ http:
 	cspReport:
 		default-src: "'nonce'"
 		report-uri: https://example.com/report
+		upgrade-insecure-requests: true
+		block-all-mixed-content: false
 EOD
 , 'neon'));
 
@@ -49,7 +51,7 @@ $headers = headers_list();
 
 preg_match('#nonce-([\w+/]+=*)#', implode($headers), $nonce);
 Assert::contains("Content-Security-Policy: default-src 'self' https://example.com; upgrade-insecure-requests; script-src 'nonce-$nonce[1]'; style-src 'self' https://example.com; require-sri-for style; sandbox allow-forms; plugin-types application/x-java-applet;", $headers);
-Assert::contains("Content-Security-Policy-Report-Only: default-src 'nonce-$nonce[1]'; report-uri https://example.com/report;", $headers);
+Assert::contains("Content-Security-Policy-Report-Only: default-src 'nonce-$nonce[1]'; report-uri https://example.com/report; upgrade-insecure-requests;", $headers);
 
 
 echo ' '; @ob_flush(); flush();