Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

Commit ece42c5

Browse filesBrowse files
committed
bug #22045 [WebProfilerBundle] Handle Content-Security-Policy-Report-Only header correctly (romainneutron)
This PR was merged into the 3.2 branch. Discussion ---------- [WebProfilerBundle] Handle Content-Security-Policy-Report-Only header correctly | Q | A | ------------- | --- | Branch? | 3.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | N/A | License | MIT | Doc PR | N/A This header should have been handled from the beginning. Content-Security-Policy recommendation specify this header, it needs to be correctly handled Commits ------- b0ba698 [WebProfilerBundle] Handle Content-Security-Policy-Report-Only header correctly
2 parents ab08fd6 + b0ba698 commit ece42c5
Copy full SHA for ece42c5

File tree

2 files changed

+13
-8
lines changed
Filter options

2 files changed

+13
-8
lines changed

‎src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
+5Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,7 @@ private function removeCspHeaders(Response $response)
108108
{
109109
$response->headers->remove('X-Content-Security-Policy');
110110
$response->headers->remove('Content-Security-Policy');
111+
$response->headers->remove('Content-Security-Policy-Report-Only');
111112
}
112113

113114
/**
@@ -257,6 +258,10 @@ private function getCspHeaders(Response $response)
257258
$headers['Content-Security-Policy'] = $this->parseDirectives($response->headers->get('Content-Security-Policy'));
258259
}
259260

261+
if ($response->headers->has('Content-Security-Policy-Report-Only')) {
262+
$headers['Content-Security-Policy-Report-Only'] = $this->parseDirectives($response->headers->get('Content-Security-Policy-Report-Only'));
263+
}
264+
260265
if ($response->headers->has('X-Content-Security-Policy')) {
261266
$headers['X-Content-Security-Policy'] = $this->parseDirectives($response->headers->get('X-Content-Security-Policy'));
262267
}

‎src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
+8-8Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -97,41 +97,41 @@ public function provideRequestAndResponsesForOnKernelResponse()
9797
array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
9898
$this->createRequest(),
9999
$this->createResponse(),
100-
array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
100+
array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
101101
),
102102
array(
103103
$nonce, array('csp_script_nonce' => $requestScriptNonce, 'csp_style_nonce' => $requestStyleNonce),
104104
$this->createRequest($requestNonceHeaders),
105105
$this->createResponse($responseNonceHeaders),
106-
array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
106+
array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
107107
),
108108
array(
109109
$nonce,
110110
array('csp_script_nonce' => $requestScriptNonce, 'csp_style_nonce' => $requestStyleNonce),
111111
$this->createRequest($requestNonceHeaders),
112112
$this->createResponse(),
113-
array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
113+
array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
114114
),
115115
array(
116116
$nonce,
117117
array('csp_script_nonce' => $responseScriptNonce, 'csp_style_nonce' => $responseStyleNonce),
118118
$this->createRequest(),
119119
$this->createResponse($responseNonceHeaders),
120-
array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
120+
array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
121121
),
122122
array(
123123
$nonce,
124124
array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
125125
$this->createRequest(),
126-
$this->createResponse(array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:')),
127-
array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'X-Content-Security-Policy' => null),
126+
$this->createResponse(array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'Content-Security-Policy-Report-Only' => 'frame-ancestors http: ; form-action: http:')),
127+
array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'Content-Security-Policy-Report-Only' => 'frame-ancestors http: ; form-action: http:', 'X-Content-Security-Policy' => null),
128128
),
129129
array(
130130
$nonce,
131131
array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
132132
$this->createRequest(),
133-
$this->createResponse(array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'')),
134-
array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null),
133+
$this->createResponse(array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'')),
134+
array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null),
135135
),
136136
array(
137137
$nonce,

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.