[WebProfilerBundle] Handle Content-Security-Policy-Report-Only header correctly

2017-03-17 17:52:43 +01:00 · 2017-03-17 17:52:43 +01:00 · b0ba698111
commit b0ba698111
parent d50885cc16
2 changed files with 13 additions and 8 deletions
--- a/src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
+++ b/src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
@ -108,6 +108,7 @@ class ContentSecurityPolicyHandler
    {
        $response->headers->remove('X-Content-Security-Policy');
        $response->headers->remove('Content-Security-Policy');
+        $response->headers->remove('Content-Security-Policy-Report-Only');
    }

    /**
@ -257,6 +258,10 @@ class ContentSecurityPolicyHandler
            $headers['Content-Security-Policy'] = $this->parseDirectives($response->headers->get('Content-Security-Policy'));
        }

+        if ($response->headers->has('Content-Security-Policy-Report-Only')) {
+            $headers['Content-Security-Policy-Report-Only'] = $this->parseDirectives($response->headers->get('Content-Security-Policy-Report-Only'));
+        }
+
        if ($response->headers->has('X-Content-Security-Policy')) {
            $headers['X-Content-Security-Policy'] = $this->parseDirectives($response->headers->get('X-Content-Security-Policy'));
        }
--- a/src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
+++ b/src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
@ -97,41 +97,41 @@ class ContentSecurityPolicyHandlerTest extends TestCase
                array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                $this->createRequest(),
                $this->createResponse(),
-                array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
+                array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
            ),
            array(
                $nonce, array('csp_script_nonce' => $requestScriptNonce, 'csp_style_nonce' => $requestStyleNonce),
                $this->createRequest($requestNonceHeaders),
                $this->createResponse($responseNonceHeaders),
-                array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
+                array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
            ),
            array(
                $nonce,
                array('csp_script_nonce' => $requestScriptNonce, 'csp_style_nonce' => $requestStyleNonce),
                $this->createRequest($requestNonceHeaders),
                $this->createResponse(),
-                array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
+                array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
            ),
            array(
                $nonce,
                array('csp_script_nonce' => $responseScriptNonce, 'csp_style_nonce' => $responseStyleNonce),
                $this->createRequest(),
                $this->createResponse($responseNonceHeaders),
-                array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
+                array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
            ),
            array(
                $nonce,
                array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                $this->createRequest(),
-                $this->createResponse(array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:')),
-                array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'X-Content-Security-Policy' => null),
+                $this->createResponse(array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'Content-Security-Policy-Report-Only' => 'frame-ancestors http: ; form-action: http:')),
+                array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'Content-Security-Policy-Report-Only' => 'frame-ancestors http: ; form-action: http:', 'X-Content-Security-Policy' => null),
            ),
            array(
                $nonce,
                array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                $this->createRequest(),
-                $this->createResponse(array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'')),
-                array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null),
+                $this->createResponse(array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'')),
+                array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null),
            ),
            array(
                $nonce,