From d2a2dff57d279c87cbdbd569ceff005d7921b897 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Sat, 25 Mar 2023 19:50:49 +0900
Subject: [PATCH 1/3] docs: use getCSP() instead of CSP property

The CSP property is deprecated.
---
 user_guide_src/source/outgoing/response.rst   |  2 +-
 .../source/outgoing/response/012.php          | 39 ++++++++++---------
 .../source/outgoing/response/013.php          | 11 ++++--
 3 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/user_guide_src/source/outgoing/response.rst b/user_guide_src/source/outgoing/response.rst
index 0fcd5d45d7d5..6c9d2509b385 100644
--- a/user_guide_src/source/outgoing/response.rst
+++ b/user_guide_src/source/outgoing/response.rst
@@ -170,7 +170,7 @@ call basis, by providing an optional second parameter to the adding method call.
 Runtime Configuration
 ---------------------
 
-If your application needs to make changes at run-time, you can access the instance at ``$this->response->CSP`` in your controllers. The
+If your application needs to make changes at run-time, you can access the instance at ``$this->response->getCSP()`` in your controllers. The
 class holds a number of methods that map pretty clearly to the appropriate header value that you need to set.
 Examples are shown below, with different combinations of parameters, though all accept either a directive
 name or an array of them:
diff --git a/user_guide_src/source/outgoing/response/012.php b/user_guide_src/source/outgoing/response/012.php
index a9487e9379a0..24e145a0fa7b 100644
--- a/user_guide_src/source/outgoing/response/012.php
+++ b/user_guide_src/source/outgoing/response/012.php
@@ -1,30 +1,33 @@
 <?php
 
+// get the CSP instance
+$csp = $this->response->getCSP();
+
 // specify the default directive treatment
-$this->response->CSP->reportOnly(false);
+$csp->reportOnly(false);
 
 // specify the origin to use if none provided for a directive
-$this->response->CSP->setDefaultSrc('cdn.example.com');
+$csp->setDefaultSrc('cdn.example.com');
 
 // specify the URL that "report-only" reports get sent to
-$this->response->CSP->setReportURI('http://example.com/csp/reports');
+$csp->setReportURI('http://example.com/csp/reports');
 
 // specify that HTTP requests be upgraded to HTTPS
-$this->response->CSP->upgradeInsecureRequests(true);
+$csp->upgradeInsecureRequests(true);
 
 // add types or origins to CSP directives
 // assuming that the default treatment is to block rather than just report
-$this->response->CSP->addBaseURI('example.com', true); // report only
-$this->response->CSP->addChildSrc('https://youtube.com'); // blocked
-$this->response->CSP->addConnectSrc('https://*.facebook.com', false); // blocked
-$this->response->CSP->addFontSrc('fonts.example.com');
-$this->response->CSP->addFormAction('self');
-$this->response->CSP->addFrameAncestor('none', true); // report this one
-$this->response->CSP->addImageSrc('cdn.example.com');
-$this->response->CSP->addMediaSrc('cdn.example.com');
-$this->response->CSP->addManifestSrc('cdn.example.com');
-$this->response->CSP->addObjectSrc('cdn.example.com', false); // reject from here
-$this->response->CSP->addPluginType('application/pdf', false); // reject this media type
-$this->response->CSP->addScriptSrc('scripts.example.com', true); // allow but report requests from here
-$this->response->CSP->addStyleSrc('css.example.com');
-$this->response->CSP->addSandbox(['allow-forms', 'allow-scripts']);
+$csp->addBaseURI('example.com', true); // report only
+$csp->addChildSrc('https://youtube.com'); // blocked
+$csp->addConnectSrc('https://*.facebook.com', false); // blocked
+$csp->addFontSrc('fonts.example.com');
+$csp->addFormAction('self');
+$csp->addFrameAncestor('none', true); // report this one
+$csp->addImageSrc('cdn.example.com');
+$csp->addMediaSrc('cdn.example.com');
+$csp->addManifestSrc('cdn.example.com');
+$csp->addObjectSrc('cdn.example.com', false); // reject from here
+$csp->addPluginType('application/pdf', false); // reject this media type
+$csp->addScriptSrc('scripts.example.com', true); // allow but report requests from here
+$csp->addStyleSrc('css.example.com');
+$csp->addSandbox(['allow-forms', 'allow-scripts']);
diff --git a/user_guide_src/source/outgoing/response/013.php b/user_guide_src/source/outgoing/response/013.php
index 959a7bfcabef..a34b34607f26 100644
--- a/user_guide_src/source/outgoing/response/013.php
+++ b/user_guide_src/source/outgoing/response/013.php
@@ -1,6 +1,9 @@
 <?php
 
-$this->response->CSP->addChildSrc('https://youtube.com'); // allowed
-$this->response->CSP->reportOnly(true);
-$this->response->CSP->addChildSrc('https://metube.com'); // allowed but reported
-$this->response->CSP->addChildSrc('https://ourtube.com', false); // allowed
+// get the CSP instance
+$csp = $this->response->getCSP();
+
+$csp->addChildSrc('https://youtube.com'); // allowed
+$csp->reportOnly(true);
+$csp->addChildSrc('https://metube.com'); // allowed but reported
+$csp->addChildSrc('https://ourtube.com', false); // allowed

From 8c349e5a12b6465a1f99f267e2e5b078aa480844 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Sat, 25 Mar 2023 19:51:34 +0900
Subject: [PATCH 2/3] docs: add () after method name

---
 user_guide_src/source/outgoing/response.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/user_guide_src/source/outgoing/response.rst b/user_guide_src/source/outgoing/response.rst
index 6c9d2509b385..2e9e3ca14f9a 100644
--- a/user_guide_src/source/outgoing/response.rst
+++ b/user_guide_src/source/outgoing/response.rst
@@ -180,7 +180,7 @@ name or an array of them:
 The first parameter to each of the "add" methods is an appropriate string value,
 or an array of them.
 
-The ``reportOnly`` method allows you to specify the default reporting treatment
+The ``reportOnly()`` method allows you to specify the default reporting treatment
 for subsequent sources, unless over-ridden. For instance, you could specify
 that youtube.com was allowed, and then provide several allowed but reported sources:
 

From a921e66cb9c3b0b62a92b96f81b6765b9f0e4e5c Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Sat, 25 Mar 2023 19:51:49 +0900
Subject: [PATCH 3/3] docs: make functions linkable

---
 user_guide_src/source/outgoing/response.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/user_guide_src/source/outgoing/response.rst b/user_guide_src/source/outgoing/response.rst
index 2e9e3ca14f9a..e1b5a353b1c7 100644
--- a/user_guide_src/source/outgoing/response.rst
+++ b/user_guide_src/source/outgoing/response.rst
@@ -214,7 +214,7 @@ life, and is most secure when generated on the fly. To make this simple, you can
 
 If you don't like this auto replacement functionality, you can turn it off with setting ``$autoNonce = false`` in **app/Config/ContentSecurityPolicy.php**.
 
-In this case, you can use the functions, ``csp_script_nonce()`` and ``csp_style_nonce()``::
+In this case, you can use the functions, :php:func:`csp_script_nonce()` and :php:func:`csp_style_nonce()`::
 
     // Original
     <script <?= csp_script_nonce() ?>>