Merge branch 'reporttoandscriptdynamic' of github.com:zero-24/joomla-…

…cms into reporttoandscriptdynamic
joomla · Apr 30, 2020 · dbd8653 · dbd8653
2 parents 615f800 + 815bdb2
commit dbd8653
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/administrator/language/en-GB/com_csp.ini b/administrator/language/en-GB/com_csp.ini
@@ -20,9 +20,10 @@ COM_CSP_CONTENTSECURITYPOLICY_NONCE_ENABLED="<a href='https://scotthelme.co.uk/c
 COM_CSP_CONTENTSECURITYPOLICY_NONCE_ENABLED_DESC="Enable the whitelist for specific inline scripts using a cryptographic nonce (number used once) for all scripts and styles using the Joomla API. Specifying a nonce makes a modern browser ignore 'unsafe-inline' which should still be set for older browsers without nonce support."
 ; Please do not translate 'Content-Security-Policy' & 'Content-Security-Policy-Report-Only' in the following language string
 COM_CSP_CONTENTSECURITYPOLICY_REPORT_ONLY_DESC="Use the header 'Content-Security-Policy-Report-Only' instead of 'Content-Security-Policy'."
-; Please do not translate the following language string
+; Please do not translate the following two language strings
 COM_CSP_CONTENTSECURITYPOLICY_REPORT_ONLY="Report-Only"
 COM_CSP_CONTENTSECURITYPOLICY_SCRIPT_DYNAMIC_ENABLED="strict-dynamic"
+; Please do not translate 'strict-dynamic', 'self' and 'unsafe-inline' in the following language string
 COM_CSP_CONTENTSECURITYPOLICY_SCRIPT_DYNAMIC_ENABLED_DESC="The strict-dynamic source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored."
 ; Please only change the URL in the following language string
 COM_CSP_CONTENTSECURITYPOLICY_SCRIPT_HASHES_ENABLED="<a href='https://scotthelme.co.uk/content-security-policy-an-introduction/#hash' target='_blank' rel='noopener noreferrer'>Script hashes</a>"

diff --git a/plugins/system/httpheaders/httpheaders.php b/plugins/system/httpheaders/httpheaders.php
@@ -322,12 +322,12 @@ private function setCspHeader(): void
 					$frameAncestorsSet = true;
 				}
 
-				// Add strict-dynamic to the script-src directive when enabeld
+				// Add strict-dynamic to the script-src directive when enabled
 				if ($cspValue->directive === 'script-src'
 					&& strpos($cspValue->value, 'strict-dynamic') === 0
 					&& $scriptDynamicEnabled)
 				{
-					$cspValue->value = $cspValue->value . " 'strict-dynamic' ";
+					$cspValue->value .= " 'strict-dynamic' ";
 				}
 
 				$newCspValues[] = trim($cspValue->directive) . ' ' . trim($cspValue->value);
@@ -453,12 +453,12 @@ private function compileAutomaticCspHeaderRules(): array
 				$cspHeaderValue = '{style-hashes} ' . $cspHeaderValue;
 			}
 
-			// Add strict-dynamic to the script-src directive when enabeld
+			// Add strict-dynamic to the script-src directive when enabled
 			if ($cspHeaderkey === 'script-src'
 				&& strpos($cspHeaderValue, 'strict-dynamic') === 0
 				&& $scriptDynamicEnabled)
 			{
-				$cspHeaderValue = $cspHeaderValue . " 'strict-dynamic' ";
+				$cspHeaderValue .= " 'strict-dynamic' ";
 			}
 
 			// By default we should whitelist 'self' on any directive

diff --git a/plugins/system/httpheaders/httpheaders.xml b/plugins/system/httpheaders/httpheaders.xml
@@ -66,7 +66,7 @@
 							<option value="referrer-policy">Referrer-Policy</option>
 							<option value="expect-ct">Expect-CT</option>
 							<option value="feature-policy">Feature-Policy</option>
-							<option value="report-to">Report-to</option>
+							<option value="report-to">Report-To</option>
 						</field>
 						<field
 							name="value"