Feature/default src tests

README.md

@@ -75,7 +75,6 @@ to the require section of your composer.json.
             'geolocation' => "'self'",
             'gyroscope' => "'self'",
             'layout-animations' => "'self'",
-            'legacy-image-format' => "'self'",
             'magnetometer' => "'self'",
             'microphone' => "'self'",
             'midi' => "'self'",

phpunit.xml.dist

@@ -1,18 +1,13 @@
 <?xml version="1.0" encoding="utf-8"?>
-<phpunit bootstrap="./tests/bootstrap.php"
-    colors="true"
-    convertErrorsToExceptions="true"
-    convertNoticesToExceptions="true"
-    convertWarningsToExceptions="true"
-    stopOnFailure="false">
-    <testsuites>
-        <testsuite name="Test Suite">
-            <directory>./tests</directory>
-        </testsuite>
-    </testsuites>
-    <filter>
-        <whitelist processUncoveredFilesFromWhitelist="true">
-            <directory suffix=".php">./src</directory>
-        </whitelist>
-    </filter>
-</phpunit>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="./tests/bootstrap.php" colors="true" convertErrorsToExceptions="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnFailure="false" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd">
+  <coverage processUncoveredFiles="true">
+    <include>
+      <directory suffix=".php">./src</directory>
+    </include>
+  </coverage>
+  <testsuites>
+    <testsuite name="Test Suite">
+      <directory>./tests</directory>
+    </testsuite>
+  </testsuites>
+</phpunit>

src/Headers.php

@@ -76,7 +76,7 @@ class Headers extends Component implements BootstrapInterface
      * @access public
      * @var string
      */
-    public $xPoweredBy = 'Hyperia';
+    public $xPoweredBy = '';
 
     /**
      * Report URI
@@ -156,7 +156,7 @@ public function bootstrap($app)
                 ];
 
                 foreach ($headerPolicy as $policy) {
-                    if ($policy->isValid()) {
+                    if ($policy->isValid() && !$headers->has($policy->getName())) {
                         $headers->set($policy->getName(), $policy->getValue());
                     }
                 }

src/headers/ContentSecurityPolicy.php

@@ -66,7 +66,7 @@ public function getValue(): string
 
     public function isValid(): bool
     {
-        $allowedDirectives = array_keys($this->defaultDirectives);
+        $allowedDirectives = array_keys(array_merge($this->defaultDirectives, $this->defaultCsp));
         foreach ($this->directives as $directive => $value) {
             if (!in_array($directive, $allowedDirectives) && !empty($value)) {
                 return false;

src/headers/FeaturePolicy.php

@@ -18,7 +18,6 @@ class FeaturePolicy implements PolicyInterface
         'geolocation' => "'self'",
         'gyroscope' => "'self'",
         'layout-animations' => "'self'",
-        'legacy-image-format' => "'self'",
         'magnetometer' => "'self'",
         'microphone' => "'self'",
         'midi' => "'self'",

src/headers/XPoweredBy.php

@@ -23,6 +23,6 @@ public function getValue(): string
 
     public function isValid(): bool
     {
-        return true;
+        return !empty($this->value);
     }
 }

tests/headers/ContentSecurityPolicyTest.php

@@ -7,14 +7,9 @@
 
 class ContentSecurityPolicyTest extends TestCase
 {
-    /**
-     * @var ContentSecurityPolicy
-     */
-    private $header;
-
-    public function setUp(): void
+    public function testCommon(): void
     {
-        $this->header = new ContentSecurityPolicy([
+        $policy = new ContentSecurityPolicy([
             'object-src' => "'self'",
             'media-src' => "'self'",
             'form-action' => "'self'",
@@ -23,21 +18,10 @@ public function setUp(): void
             'upgradeInsecureRequests' => false,
             'blockAllMixedContent' => true
         ], 'https://www.example.com');
-    }
-
-    public function testGetValue(): void
-    {
-        $this->assertSame("default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; report-uri https://www.example.com/r/d/csp/enforce; block-all-mixed-content", $this->header->getValue());
-    }
-
-    public function testGetName(): void
-    {
-        $this->assertSame('Content-Security-Policy', $this->header->getName());
-    }
 
-    public function testIsValid(): void
-    {
-        $this->assertTrue($this->header->isValid());
+        $this->assertSame("default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; report-uri https://www.example.com/r/d/csp/enforce; block-all-mixed-content", $policy->getValue());
+        $this->assertSame('Content-Security-Policy', $policy->getName());
+        $this->assertTrue($policy->isValid());
     }
 
     public function testInvalid(): void
@@ -66,6 +50,44 @@ public function testWithSubresourceIntegrity()
             'requireSriForStyle' => true
         ], 'https://www.example.com');
 
+        $this->assertTrue($policy->isValid());
         $this->assertSame("default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; require-sri-for script style; report-uri https://www.example.com/r/d/csp/enforce", $policy->getValue());
     }
+
+    public function testDefaultSrc(): void
+    {
+        $policy = new ContentSecurityPolicy([
+            'default-src' => "*",
+        ], [
+            'upgradeInsecureRequests' => false,
+            'blockAllMixedContent' => true
+        ], 'https://www.example.com');
+
+        $this->assertSame("default-src *; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; report-uri https://www.example.com/r/d/csp/enforce; block-all-mixed-content", $policy->getValue());
+        $this->assertTrue($policy->isValid());
+
+        // 'self'
+        $policy = new ContentSecurityPolicy([
+            'default-src' => "'self'",
+        ], [
+            'upgradeInsecureRequests' => false,
+            'blockAllMixedContent' => true
+        ], 'https://www.example.com');
+
+        $this->assertSame("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; report-uri https://www.example.com/r/d/csp/enforce; block-all-mixed-content", $policy->getValue());
+        $this->assertTrue($policy->isValid());
+    }
+
+    public function testWithChildSrc(): void
+    {
+        $policy = new ContentSecurityPolicy([
+            'child-src' => "'self'"
+        ], [
+            'upgradeInsecureRequests' => false,
+            'blockAllMixedContent' => true
+        ], 'https://www.example.com');
+
+        $this->assertNotTrue($policy->isValid());
+        $this->assertSame("default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'self'; prefetch-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src 'self'; form-action 'self'; worker-src 'self'; child-src 'self'; report-uri https://www.example.com/r/d/csp/enforce; block-all-mixed-content", $policy->getValue());
+    }
 }

tests/headers/EmptyXPoweredByTest.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace hyperia\security\tests\headers;
+
+use hyperia\security\headers\XPoweredBy;
+use hyperia\security\tests\TestCase;
+
+class EmptyXPoweredByTest extends TestCase
+{
+    /**
+     * @var XPoweredBy
+     */
+    private $header;
+
+    public function setUp(): void
+    {
+        $this->header = new XPoweredBy('');
+    }
+
+    public function testGetValue(): void
+    {
+        $this->assertSame('', $this->header->getValue());
+    }
+
+    public function testIsValid(): void
+    {
+        $this->assertNotTrue($this->header->isValid());
+    }
+}

tests/headers/FeaturePolicyTest.php

@@ -22,7 +22,7 @@ public function setUp(): void
 
     public function testGetValue(): void
     {
-        $this->assertSame("accelerometer 'self'; ambient-light-sensor 'self'; autoplay 'self'; battery 'self'; camera 'self'; display-capture 'self'; document-domain 'self'; encrypted-media 'self'; fullscreen 'self'; geolocation 'self'; gyroscope 'self'; layout-animations 'self'; legacy-image-format 'self'; magnetometer 'self'; microphone 'self'; midi 'self'; oversized-images 'self'; payment *; picture-in-picture 'none'; publickey-credentials-get 'self'; sync-xhr 'self'; usb 'self'; wake-lock 'self'; xr-spatial-tracking 'self'", $this->header->getValue());
+        $this->assertSame("accelerometer 'self'; ambient-light-sensor 'self'; autoplay 'self'; battery 'self'; camera 'self'; display-capture 'self'; document-domain 'self'; encrypted-media 'self'; fullscreen 'self'; geolocation 'self'; gyroscope 'self'; layout-animations 'self'; magnetometer 'self'; microphone 'self'; midi 'self'; oversized-images 'self'; payment *; picture-in-picture 'none'; publickey-credentials-get 'self'; sync-xhr 'self'; usb 'self'; wake-lock 'self'; xr-spatial-tracking 'self'", $this->header->getValue());
     }
 
     public function testGetName(): void