From 4513b02caf6257bb00ac2cb8eb58d77e0eb08b0f Mon Sep 17 00:00:00 2001 From: fritzmg Date: Mon, 22 Jan 2024 15:42:20 +0000 Subject: [PATCH 1/2] Do not add signatures if unsafe-inline is enabled --- src/ContentSecurityPolicy/DirectiveSet.php | 5 ++++- tests/ContentSecurityPolicy/DirectiveSetTest.php | 2 +- tests/Listener/ContentSecurityPolicyListenerTest.php | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/ContentSecurityPolicy/DirectiveSet.php b/src/ContentSecurityPolicy/DirectiveSet.php index 70fcdece..fb7307bc 100644 --- a/src/ContentSecurityPolicy/DirectiveSet.php +++ b/src/ContentSecurityPolicy/DirectiveSet.php @@ -139,7 +139,10 @@ public function buildHeaderValue(Request $request, ?array $signatures = null): s // let's ensure that it's backward compatible with CSP level 1 (all browsers are not compatible) // this is the recommended way to deal with this. if (false === strpos($value, '\'unsafe-inline\'') && $this->level1Fallback) { - $policy[] = $name.' '.$value.' \'unsafe-inline\' '.$signatures[$name]; + $policy[] = $name.' '.$value.' '.'\'unsafe-inline\' '.$signatures[$name]; + // Do not add any signatures if 'unsafe-inline' is allowed anyway + } elseif (false !== strpos($value, '\'unsafe-inline\'')) { + $policy[] = $name.' '.$value; } else { $policy[] = $name.' '.$value.' '.$signatures[$name]; } diff --git a/tests/ContentSecurityPolicy/DirectiveSetTest.php b/tests/ContentSecurityPolicy/DirectiveSetTest.php index e54b50bc..bb629f27 100644 --- a/tests/ContentSecurityPolicy/DirectiveSetTest.php +++ b/tests/ContentSecurityPolicy/DirectiveSetTest.php @@ -374,7 +374,7 @@ public function provideConfigAndSignatures(): array { return [ [ - 'default-src \'self\'; script-src \'self\' \'unsafe-inline\' \'sha-1\'; style-src \'self\' \'unsafe-inline\' \'sha2\'', + 'default-src \'self\'; script-src \'self\' \'unsafe-inline\'; style-src \'self\' \'unsafe-inline\' \'sha2\'', [ 'enforce' => [ 'level1_fallback' => true, diff --git a/tests/Listener/ContentSecurityPolicyListenerTest.php b/tests/Listener/ContentSecurityPolicyListenerTest.php index 5257e776..57a38e17 100644 --- a/tests/Listener/ContentSecurityPolicyListenerTest.php +++ b/tests/Listener/ContentSecurityPolicyListenerTest.php @@ -87,13 +87,13 @@ public function testDefaultWithSignatures(): void ); } - public function testEvenWithUnsafeInlineItAppliesSignature(): void + public function testDoesNotApplySignatureWithUnsafeInline(): void { $listener = $this->buildSimpleListener(['default-src' => "default.example.org 'self'", 'script-src' => "'self' 'unsafe-inline'"]); $response = $this->callListener($listener, '/', true, 'text/html', ['signatures' => ['script-src' => ['sha-1']]]); $this->assertSame( - "default-src default.example.org 'self'; script-src 'self' 'unsafe-inline' 'sha-1'", + "default-src default.example.org 'self'; script-src 'self' 'unsafe-inline'", $response->headers->get('Content-Security-Policy') ); } From 3e5f37dbba176066e4561ba50d3387b494e123fd Mon Sep 17 00:00:00 2001 From: fritzmg Date: Mon, 22 Jan 2024 15:52:51 +0000 Subject: [PATCH 2/2] revert unrelated change --- src/ContentSecurityPolicy/DirectiveSet.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ContentSecurityPolicy/DirectiveSet.php b/src/ContentSecurityPolicy/DirectiveSet.php index fb7307bc..f3dd2351 100644 --- a/src/ContentSecurityPolicy/DirectiveSet.php +++ b/src/ContentSecurityPolicy/DirectiveSet.php @@ -139,7 +139,7 @@ public function buildHeaderValue(Request $request, ?array $signatures = null): s // let's ensure that it's backward compatible with CSP level 1 (all browsers are not compatible) // this is the recommended way to deal with this. if (false === strpos($value, '\'unsafe-inline\'') && $this->level1Fallback) { - $policy[] = $name.' '.$value.' '.'\'unsafe-inline\' '.$signatures[$name]; + $policy[] = $name.' '.$value.' \'unsafe-inline\' '.$signatures[$name]; // Do not add any signatures if 'unsafe-inline' is allowed anyway } elseif (false !== strpos($value, '\'unsafe-inline\'')) { $policy[] = $name.' '.$value;