[WebProfilerBundle] Handle Content-Security-Policy-Report-Only header correctly
This commit is contained in:
parent
d50885cc16
commit
b0ba698111
@ -108,6 +108,7 @@ class ContentSecurityPolicyHandler
|
||||
{
|
||||
$response->headers->remove('X-Content-Security-Policy');
|
||||
$response->headers->remove('Content-Security-Policy');
|
||||
$response->headers->remove('Content-Security-Policy-Report-Only');
|
||||
}
|
||||
|
||||
/**
|
||||
@ -257,6 +258,10 @@ class ContentSecurityPolicyHandler
|
||||
$headers['Content-Security-Policy'] = $this->parseDirectives($response->headers->get('Content-Security-Policy'));
|
||||
}
|
||||
|
||||
if ($response->headers->has('Content-Security-Policy-Report-Only')) {
|
||||
$headers['Content-Security-Policy-Report-Only'] = $this->parseDirectives($response->headers->get('Content-Security-Policy-Report-Only'));
|
||||
}
|
||||
|
||||
if ($response->headers->has('X-Content-Security-Policy')) {
|
||||
$headers['X-Content-Security-Policy'] = $this->parseDirectives($response->headers->get('X-Content-Security-Policy'));
|
||||
}
|
||||
|
@ -97,41 +97,41 @@ class ContentSecurityPolicyHandlerTest extends TestCase
|
||||
array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
|
||||
$this->createRequest(),
|
||||
$this->createResponse(),
|
||||
array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
|
||||
array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
|
||||
),
|
||||
array(
|
||||
$nonce, array('csp_script_nonce' => $requestScriptNonce, 'csp_style_nonce' => $requestStyleNonce),
|
||||
$this->createRequest($requestNonceHeaders),
|
||||
$this->createResponse($responseNonceHeaders),
|
||||
array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
|
||||
array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
|
||||
),
|
||||
array(
|
||||
$nonce,
|
||||
array('csp_script_nonce' => $requestScriptNonce, 'csp_style_nonce' => $requestStyleNonce),
|
||||
$this->createRequest($requestNonceHeaders),
|
||||
$this->createResponse(),
|
||||
array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
|
||||
array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
|
||||
),
|
||||
array(
|
||||
$nonce,
|
||||
array('csp_script_nonce' => $responseScriptNonce, 'csp_style_nonce' => $responseStyleNonce),
|
||||
$this->createRequest(),
|
||||
$this->createResponse($responseNonceHeaders),
|
||||
array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
|
||||
array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
|
||||
),
|
||||
array(
|
||||
$nonce,
|
||||
array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
|
||||
$this->createRequest(),
|
||||
$this->createResponse(array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:')),
|
||||
array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'X-Content-Security-Policy' => null),
|
||||
$this->createResponse(array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'Content-Security-Policy-Report-Only' => 'frame-ancestors http: ; form-action: http:')),
|
||||
array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'Content-Security-Policy-Report-Only' => 'frame-ancestors http: ; form-action: http:', 'X-Content-Security-Policy' => null),
|
||||
),
|
||||
array(
|
||||
$nonce,
|
||||
array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
|
||||
$this->createRequest(),
|
||||
$this->createResponse(array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'')),
|
||||
array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null),
|
||||
$this->createResponse(array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'')),
|
||||
array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null),
|
||||
),
|
||||
array(
|
||||
$nonce,
|
||||
|
Reference in New Issue
Block a user