This repository has been archived by the owner on Jan 30, 2020. It is now read-only.
Fix CSP report-uri directive defaulting to 'none' when empty value provided #93
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If
setDirective
is called on\Zend\Http\Header\ContentSecurityPolicy
with an empty array for report-uri the resulting header containsreport-uri: 'none'
$csp->setDirective('report-uri', []);
According to CSP2 specification https://www.w3.org/TR/CSP2/ the report-uri directive is not a source-list, it actually accepts 1 or more uri-reference. This means the default of 'none' is not treated as no report-uri.
If report-uri is defaulted to 'none', I have observed CSP errors being reported to an endpoint of
host/'none'
Screenshot of Network tab in both Chrome and Firefox with report-uri:'none':
My proposed fix will ensure that the report-uri directive is unset if an empty array is provided rather than defaulting to 'none'. This will then omit the report-uri from the ContentSecurityPolicy header which achieves what I would expect for an empty report-uri
I have created branches of ZendSkeletonApplication.
One which highlights the error
https://github.com/tkjn/ZendSkeletonApplication/tree/csp-report-uri-none-error
And another which uses my proposed fix
https://github.com/tkjn/ZendSkeletonApplication/tree/csp-report-uri-none-error-fixed