[4.0] Add the Report-To header to the http header config and allow to set the script-dynamic header

[zero-24]

Summary of Changes

Add the Report-To (#2) header to the http header config and allow to set the script-dynamic header

Testing Instructions

• go to the plg_system_httpheaders
• notice there is no report-to header in the force header option.
• apply this patch
• the option is there
• set the option to any value. (or see here the details + example)
• revert the patch
• go to the com_csp options
• notice there is no strict-dynamic setting
• apply this patch
• notice there is now a strict dynamatic setting. (details)
• enable the strict dynamic setting
• (when in custom mode make sure you setup a inital script-src dummy rule)
• and check the generated csp header. (F12 -> Network tab)

Expected result

• you can set the report-to via the plugin
• you can set the strict-dynamic option for the CSP

Actual result

• you can not set the report-to via the plugin
• you can not set the strict-dynamic option for the CSP

Documentation Changes Required

The script-dynamic options needs to be added to doc pages the Report-To has been added already
https://docs.joomla.org/index.php?title=Help4.x:Components_CSP_Reports_Options
https://docs.joomla.org/J4.x:Http_Header_Management

[zero-24]

Thanks @Quy

[zero-24]

Thanks merged @Quy

[Quy]

Please fix conflicts.

[zero-24]

Done @Quy

[richard67]

referrer-policy | strict-origin-when-cross-origin

This what I'm looking for? Am new to CSP.

At this point @zero-24 can help netter than I do.

[zero-24]

This what I'm looking for? Am new to CSP.

Conent-security-poliy(-report-only)

Can you please post the settings you made?

[Bodge-IT]

com_csp:

[Bodge-IT]

Plugin:

[Bodge-IT]

headers:

[richard67]

@Bodge-IT In your screenshot of the headers I see: "report-to: csp-endpoint". That's one of the headers added by this PR, so success for this point.

For the second point the strict-dynamic option option, your screenshot with the com_csp options shows that this option is there. So success also for this point.

@zero-24 Am I right? Or am I missing something?

[zero-24]

@zero-24 Am I right? Or am I missing something?

Yes @Bodge-IT in custom mode you can actually also add a custom rule ("last option") with script-src and some value and notice that the CSP header has that key value as well as script-dynamic.

[Bodge-IT]

I get this:

[zero-24]

Ok found the issue please re apply this PR (revert and than apply again via patchtester) or manually apply this changes here: 304c468

[Bodge-IT]

Boom:

Will reset @opn365 test and request new additional test

Thanks for your support...

[zero-24]

Thanks 👍

[Bodge-IT]

Do we need to get tests reset?

@zero-24, can you tweak test instructions to advise what we're looking for in headers?

[richard67]

@Bodge-IT No need for reset, that happens automatically on GitHub with a new commit. In the tracker you might not see that. But it's here on GitHub which counts.

@opn365 Could you re apply this PR (revert, then fetch again patches and than apply again via patchtester if using patchtester, or pulling latest changes when using a git client) and then repeat your test? There have been changes made in this PR. Thanks in advance, and thanks for the previous test.

[zero-24]

@zero-24, can you tweak test instructions to advise what we're looking for in headers?

Done thanks

[Bodge-IT]

I have tested this item ✅ successfully on 80d1e1b

Checked options and headers...all good.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28724.}

[flo-the-cat]

I have tested this item ✅ successfully on 80d1e1b

Was easy as pie to follow, once Gary added all the screen shots!

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28724.}

[Bodge-IT]

Pulled in Phil to get this done...

[richard67]

Pulled in Phil to get this done...

Seems he did not have time and has sent his cat instead ;-)

[richard67]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28724.}