PSR-7 support, or else array of headers to be returned

[Ocramius]

This repo provides very useful functionality, but directly messes with global state via the header function.

Hereby I suggest one of either:

• being able to inject CSP headers in a PSR-7 request (wouldn't become a dependency: just a dev-dependency or a mocked one)
• provide the list of headers as an array (mainly because there is more than one header, according to

  csp-builder/src/CSPBuilder.php

  Lines 323 to 330 in 8d8b993

  	\header($which.': '.$this->compiled);
  	if ($legacy) {
  	// Add deprecated headers for compatibility with old clients
  	\header('X-'.$which.': '.$this->compiled);
  	$which = $this->reportOnly
  	? 'X-Webkit-CSP-Report-Only'
  	: 'X-Webkit-CSP';
  	\header($which.': '.$this->compiled);

  )

[paragonie-scott]

Something like this?

function injectCSPHeader(\Psr\Http\Message\MessageInterface $message, $legacy = false)
{
    if ($this->needsCompile) {
        $this->compile();
    }
    // Are we doing a report-only header?
    $which = $this->reportOnly 
        ? 'Content-Security-Policy-Report-Only'
        : 'Content-Security-Policy';
    $message->withAddedHeader($which, $this->compiled);
    if ($legacy) {
        // Add deprecated headers for compatibility with old clients
        $message->withAddedHeader('X-'.$which, $this->compiled);
        $which = $this->reportOnly 
            ? 'X-Webkit-CSP-Report-Only'
            : 'X-Webkit-CSP';
        $message->withAddedHeader($which, $this->compiled);
    }
    return $message;
}

[Ocramius]

@paragonie-scott either that or simply return the array of headers

Note that $message is immutable, therefore every with call returns a new object (referring to the snippet above)

[paragonie-scott]

84ad3c5

How does that look?

[Ocramius]

@paragonie-scott looks good: is it covered by tests?

[paragonie-scott]

The PSR-7 part isn't, yet. I don't really use PSR-7 anywhere directly so I'll need to find a way to add a unit test without adding a dependency to e.g. Guzzle.

[Ocramius]

@paragonie-scott $this->getMock('Name\Of\Interface', ['the', 'list', 'of', 'methods', 'that', 'are', 'expected', 'to', 'exist'])

[paragonie-scott]

https://github.com/paragonie/csp-builder/blob/master/src/CSPBuilder.php#L269

This will break when it returns null.

[Ocramius]

@paragonie-scott you can use $this->getMock()->expects(self::exactly(2))->method('withFoo')->willReturnSelf();

[paragonie-scott]

Expectation failed for method name is equal to string:withHeader when invoked 2 time(s).
Method was expected to be called 2 times, actually called 0 times.

.PHP Fatal error: Class Mock_MessageInterface_a0173770 contains 1 abstract method and must therefore be declared abstract or implement the remaining methods (Psr\Http\Message\MessageInterface::withHeader) in /mnt/share/csp-builder/vendor/phpunit/phpunit-mock-objects/src/Framework/MockObject/Generator.php(305) : eval()'d code on line 270

I've never used mocking before, and I have no idea what I'm even doing.

[Ocramius]

@paragonie-scott I'll send a PR :-)

[Ocramius]

@paragonie-scott see #6

[paragonie-scott]

Has this been adequately addressed in the latest release?

[Ocramius]

Looks like this was done in 1.2.0, thanks!