Skip to content

Commit

Permalink
Merge pull request #71 from internalsystemerror/support-attr-and-elem
Browse files Browse the repository at this point in the history 
Fix support for script-src-{elem|attr}, Add support for style-src-{elem|attr}
  • Loading branch information
@paragonie-security
paragonie-security committed May 24, 2023
2 parents c5e8208 + 48283d1 commit 5cae24f
Show file tree
Hide file tree
Showing 5 changed files with 9 additions and 6 deletions.
7 changes: 4 additions & 3 deletions src/CSPBuilder.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,11 @@ class CSPBuilder
'manifest-src',
'sandbox',
'script-src',
'script-src-elem',
'script-src-attr',
'style-src',
'style-src-elem',
'style-src-attr',
'worker-src'
];

Expand Down Expand Up @@ -210,9 +214,6 @@ public function addSource(string $directive, string $path): self
case 'scripts':
$directive = 'script-src';
break;
case 'script-src-elem':
case 'script-src-attr':
break;
case 'style':
case 'css':
case 'css-src':
Expand Down
2 changes: 1 addition & 1 deletion test/vectors/basic-csp-hash.out
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng=' 'sha384-YlVjjxmBPFrOTrK8RYTXMzr/Pt2Tyv2yi4yMalWlUERx821L2qJpIJNvAnO6ouM/'; style-src 'self'; report-uri /csp_violation; report-to csp; upgrade-insecure-requests
base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng=' 'sha384-YlVjjxmBPFrOTrK8RYTXMzr/Pt2Tyv2yi4yMalWlUERx821L2qJpIJNvAnO6ouM/'; script-src-attr 'none'; style-src 'self'; style-src-attr 'none'; report-uri /csp_violation; report-to csp; upgrade-insecure-requests
2 changes: 1 addition & 1 deletion test/vectors/basic-csp-no-old.out
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' ytimg.com data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng='; style-src 'self'; report-uri /csp_violation; report-to csp; upgrade-insecure-requests
base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' ytimg.com data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng='; script-src-attr 'none'; style-src 'self'; style-src-attr 'none'; report-uri /csp_violation; report-to csp; upgrade-insecure-requests
2 changes: 2 additions & 0 deletions test/vectors/basic-csp.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,10 @@
"unsafe-inline": false,
"unsafe-eval": false
},
"script-src-attr": [],
"style-src": {
"self": true
},
"style-src-attr": [],
"upgrade-insecure-requests": true
}
2 changes: 1 addition & 1 deletion test/vectors/basic-csp.out
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' https://ytimg.com ytimg.com data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng='; style-src 'self'; report-uri /csp_violation; report-to csp; upgrade-insecure-requests
base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' https://ytimg.com ytimg.com data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng='; script-src-attr 'none'; style-src 'self'; style-src-attr 'none'; report-uri /csp_violation; report-to csp; upgrade-insecure-requests

0 comments on commit 5cae24f

Please sign in to comment.