Fix CSP report-uri directive defaulting to 'none' when empty value provided

src/Header/ContentSecurityPolicy.php

@@ -73,6 +73,12 @@ public function setDirective($name, array $sources)
             ));
         }
         if (empty($sources)) {
+            if ('report-uri' === $name) {
+                if (isset($this->directives[$name])) {
+                    unset($this->directives[$name]);
+                }
+                return $this;
+            }
             $this->directives[$name] = "'none'";
             return $this;
         }

test/Header/ContentSecurityPolicyTest.php

@@ -110,4 +110,30 @@ public function testPreventsCRLFAttackViaDirective()
         $this->setExpectedException('Zend\Http\Header\Exception\InvalidArgumentException');
         $header->setDirective('default-src', ["\rsome\r\nCRLF\ninjection"]);
     }
+
+    public function testContentSecurityPolicySetDirectiveWithEmptyReportUriDefaultsToUnset()
+    {
+        $csp = new ContentSecurityPolicy();
+        $csp->setDirective('report-uri', []);
+        $this->assertEquals(
+            "Content-Security-Policy: ",
+            $csp->toString()
+        );
+    }
+
+    public function testContentSecurityPolicySetDirectiveWithEmptyReportUriRemovesExistingValue()
+    {
+        $csp = new ContentSecurityPolicy();
+        $csp->setDirective('report-uri', ['csp-error']);
+        $this->assertEquals(
+            "Content-Security-Policy: report-uri csp-error;",
+            $csp->toString()
+        );
+
+        $csp->setDirective('report-uri', []);
+        $this->assertEquals(
+            "Content-Security-Policy: ",
+            $csp->toString()
+        );
+    }
 }