HttpExtension: fixed quotating in sections require-sri-for & sandbox [Closes #143]

peldax · dg · commit bc3a9ac2999a · 2018-08-28T00:15:04.000+02:00
diff --git a/src/Bridges/HttpDI/HttpExtension.php b/src/Bridges/HttpDI/HttpExtension.php
@@ -124,11 +124,12 @@ public function afterCompile(Nette\PhpGenerator\ClassType $class)
 
 	private static function buildValue(array $config): string
 	{
+		static $nonQuoted = ['require-sri-for' => 1, 'sandbox' => 1];
 		$value = '';
 		foreach ($config as $type => $policy) {
 			$value .= $type;
 			foreach ((array) $policy as $item) {
-				$value .= preg_match('#^[a-z-]+\z#', $item) ? " '$item'" : " $item";
+				$value .= !isset($nonQuoted[$type]) && preg_match('#^[a-z-]+\z#', $item) ? " '$item'" : " $item";
 			}
 			$value .= '; ';
 		}
diff --git a/tests/Http.DI/HttpExtension.csp.phpt b/tests/Http.DI/HttpExtension.csp.phpt
@@ -30,6 +30,9 @@ http:
 		style-src:
 			- self
 			- https://example.com
+		require-sri-for: style
+		sandbox: allow-forms
+		plugin-types: application/x-java-applet
 
 	cspReport:
 		default-src: "'nonce'"
@@ -45,7 +48,7 @@ $container->initialize();
 $headers = headers_list();
 
 preg_match('#nonce-([\w+/]+=*)#', implode($headers), $nonce);
-Assert::contains("Content-Security-Policy: default-src 'self' https://example.com; upgrade-insecure-requests; script-src 'nonce-$nonce[1]'; style-src 'self' https://example.com;", $headers);
+Assert::contains("Content-Security-Policy: default-src 'self' https://example.com; upgrade-insecure-requests; script-src 'nonce-$nonce[1]'; style-src 'self' https://example.com; require-sri-for style; sandbox allow-forms; plugin-types application/x-java-applet;", $headers);
 Assert::contains("Content-Security-Policy-Report-Only: default-src 'nonce-$nonce[1]'; report-uri https://example.com/report;", $headers);
 
 

Original file line number	Diff line number	Diff line change
`@@ -124,11 +124,12 @@ public function afterCompile(Nette\PhpGenerator\ClassType $class)`
`124`	`124`
`125`	`125`	`private static function buildValue(array $config): string`
`126`	`126`	`{`
	`127`	`+ static $nonQuoted = ['require-sri-for' => 1, 'sandbox' => 1];`
`127`	`128`	`$value = '';`
`128`	`129`	`foreach ($config as $type => $policy) {`
`129`	`130`	`$value .= $type;`
`130`	`131`	`foreach ((array) $policy as $item) {`
`131`		`- $value .= preg_match('#^[a-z-]+\z#', $item) ? " '$item'" : " $item";`
	`132`	`+ $value .= !isset($nonQuoted[$type]) && preg_match('#^[a-z-]+\z#', $item) ? " '$item'" : " $item";`
`132`	`133`	`}`
`133`	`134`	`$value .= '; ';`
`134`	`135`	`}`