Merge e8b374e into a04cf06

zendframework · Apr 6, 2019 · 268e954 · 268e954
2 parents a04cf06 + e8b374e
commit 268e954
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 1 deletion.
diff --git a/src/Header/ContentSecurityPolicy.php b/src/Header/ContentSecurityPolicy.php
@@ -8,7 +8,7 @@
 namespace Zend\Http\Header;
 
 /**
- * Content Security Policy 1.0 Header
+ * Content Security Policy Level 3 Header
  *
  * @link http://www.w3.org/TR/CSP/
  */
@@ -32,6 +32,20 @@ class ContentSecurityPolicy implements HeaderInterface
         'connect-src',
         'sandbox',
         'report-uri',
+        'child-src',
+        'manifest-src',
+        'worker-src',
+        'prefetch-src',
+        'script-src-elem',
+        'script-src-attr',
+        'style-src-elem',
+        'style-src-attr',
+        'base-uri',
+        'plugin-types',
+        'form-action',
+        'frame-ancestors',
+        'navigate-to',
+        'report-to'
     ];
 
     /**

diff --git a/test/Header/ContentSecurityPolicyTest.php b/test/Header/ContentSecurityPolicyTest.php
@@ -139,4 +139,57 @@ public function testContentSecurityPolicySetDirectiveWithEmptyReportUriRemovesEx
             $csp->toString()
         );
     }
+
+    /**
+     * @param string $directive
+     * @param string[] $value
+     * @param string $expected
+     *
+     * @dataProvider directivesProvider
+     */
+    public function testContentSecurityPolicySetDirectiveThrowsExceptionIfMissingDirectiveNameGiven(
+        $directive,
+        $value,
+        $expected
+    ) {
+        $csp = new ContentSecurityPolicy();
+        $csp->setDirective($directive, $value);
+
+        $this->assertEquals(
+            $expected,
+            $csp->toString()
+        );
+    }
+
+    public static function directivesProvider()
+    {
+        return [
+            ['child-src', ["'self'"],"Content-Security-Policy: child-src 'self';"],
+            ['manifest-src', ["'self'"], "Content-Security-Policy: manifest-src 'self';"],
+            ['worker-src', ["'self'"], "Content-Security-Policy: worker-src 'self';"],
+            ['prefetch-src', ["'self'"], "Content-Security-Policy: prefetch-src 'self';"],
+            ['script-src-elem', ["'self'"], "Content-Security-Policy: script-src-elem 'self';"],
+            ['script-src-attr', ["'self'"], "Content-Security-Policy: script-src-attr 'self';"],
+            ['style-src-elem', ["'self'"], "Content-Security-Policy: style-src-elem 'self';"],
+            ['style-src-attr', ["'self'"], "Content-Security-Policy: style-src-attr 'self';"],
+            ['base-uri', ["'self'", "'unsafe-inline'"], "Content-Security-Policy: base-uri 'self' 'unsafe-inline';"],
+            ['plugin-types', ['text/csv'], 'Content-Security-Policy: plugin-types text/csv;'],
+            ['form-action',
+                [
+                    'http://*.example.com',
+                    "'self'"
+                ],
+                "Content-Security-Policy: form-action http://*.example.com 'self';"
+            ],
+            ['frame-ancestors',
+                [
+                    'http://*.example.com',
+                    "'self'"
+                ],
+                "Content-Security-Policy: frame-ancestors http://*.example.com 'self';"
+            ],
+            ['navigate-to', ['example.com'], 'Content-Security-Policy: navigate-to example.com;'],
+            ['sandbox', ['allow-forms'], 'Content-Security-Policy: sandbox allow-forms;'],
+        ];
+    }
 }