diff --git a/phpstan-baseline.php b/phpstan-baseline.php index 9333adddfe43..c49b156548eb 100644 --- a/phpstan-baseline.php +++ b/phpstan-baseline.php @@ -5929,12 +5929,6 @@ 'count' => 1, 'path' => __DIR__ . '/system/HTTP/ContentSecurityPolicy.php', ]; -$ignoreErrors[] = [ - // identifier: missingType.iterableValue - 'message' => '#^Property CodeIgniter\\\\HTTP\\\\ContentSecurityPolicy\\:\\:\\$validSources type has no value type specified in iterable type array\\.$#', - 'count' => 1, - 'path' => __DIR__ . '/system/HTTP/ContentSecurityPolicy.php', -]; $ignoreErrors[] = [ // identifier: codeigniter.superglobalAccess 'message' => '#^Accessing offset \'HTTP_USER_AGENT\' directly on \\$_SERVER is discouraged\\.$#', diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index 945c3e08d3ce..7582bc467733 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -31,7 +31,7 @@ class ContentSecurityPolicy /** * CSP directives * - * @var array + * @var array [name => property] */ protected array $directives = [ 'base-uri' => 'baseURI', @@ -166,7 +166,8 @@ class ContentSecurityPolicy protected $sandbox = []; /** - * Used for security enforcement + * A set of endpoints to which csp violation reports will be sent when + * particular behaviors are prevented. * * @var string|null */ @@ -189,7 +190,7 @@ class ContentSecurityPolicy /** * Used for security enforcement * - * @var array + * @var list */ protected $validSources = [ 'self', @@ -242,7 +243,7 @@ class ContentSecurityPolicy /** * An array of header info since we have - * to build ourself before passing to Response. + * to build ourselves before passing to Response. * * @var array */ @@ -594,6 +595,9 @@ public function addPluginType($mime, ?bool $explicitReporting = null) * * @see http://www.w3.org/TR/CSP/#directive-report-uri * + * @param string $uri URL to send reports. Set `''` if you want to remove + * this directive at runtime. + * * @return $this */ public function setReportURI(string $uri) diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php index 7000a881b9d6..596fbfcf0b24 100644 --- a/tests/system/HTTP/ContentSecurityPolicyTest.php +++ b/tests/system/HTTP/ContentSecurityPolicyTest.php @@ -379,6 +379,19 @@ public function testReportURI(): void $this->assertStringContainsString('report-uri http://example.com/csptracker;', $result); } + #[PreserveGlobalState(false)] + #[RunInSeparateProcess] + public function testRemoveReportURI(): void + { + $this->prepare(); + $this->csp->reportOnly(false); + $this->csp->setReportURI(''); + $this->work(); + + $result = $this->getHeaderEmitted('Content-Security-Policy'); + $this->assertStringNotContainsString('report-uri ', $result); + } + #[PreserveGlobalState(false)] #[RunInSeparateProcess] public function testSandboxFlags(): void