From 26da98d80b824a6dd5f114e08833268c98cb69a3 Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 11:34:40 +0900 Subject: [PATCH 1/3] docs: update PHPDocs --- phpstan-baseline.php | 6 ------ system/HTTP/ContentSecurityPolicy.php | 9 +++++---- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/phpstan-baseline.php b/phpstan-baseline.php index 1b36c4a8f8ee..a1ca30a6c63f 100644 --- a/phpstan-baseline.php +++ b/phpstan-baseline.php @@ -5935,12 +5935,6 @@ 'count' => 1, 'path' => __DIR__ . '/system/HTTP/ContentSecurityPolicy.php', ]; -$ignoreErrors[] = [ - // identifier: missingType.iterableValue - 'message' => '#^Property CodeIgniter\\\\HTTP\\\\ContentSecurityPolicy\\:\\:\\$validSources type has no value type specified in iterable type array\\.$#', - 'count' => 1, - 'path' => __DIR__ . '/system/HTTP/ContentSecurityPolicy.php', -]; $ignoreErrors[] = [ // identifier: codeigniter.superglobalAccess 'message' => '#^Accessing offset \'HTTP_USER_AGENT\' directly on \\$_SERVER is discouraged\\.$#', diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index 945c3e08d3ce..573e076b7360 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -31,7 +31,7 @@ class ContentSecurityPolicy /** * CSP directives * - * @var array + * @var array [name => property] */ protected array $directives = [ 'base-uri' => 'baseURI', @@ -166,7 +166,8 @@ class ContentSecurityPolicy protected $sandbox = []; /** - * Used for security enforcement + * A set of endpoints to which csp violation reports will be sent when + * particular behaviors are prevented. * * @var string|null */ @@ -189,7 +190,7 @@ class ContentSecurityPolicy /** * Used for security enforcement * - * @var array + * @var list */ protected $validSources = [ 'self', @@ -242,7 +243,7 @@ class ContentSecurityPolicy /** * An array of header info since we have - * to build ourself before passing to Response. + * to build ourselves before passing to Response. * * @var array */ From 80e9d3f391a6eb338b7befa7c332ea7ae7efac63 Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 11:35:40 +0900 Subject: [PATCH 2/3] docs: describe how to remove `report-uri` --- system/HTTP/ContentSecurityPolicy.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index 573e076b7360..7582bc467733 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -595,6 +595,9 @@ public function addPluginType($mime, ?bool $explicitReporting = null) * * @see http://www.w3.org/TR/CSP/#directive-report-uri * + * @param string $uri URL to send reports. Set `''` if you want to remove + * this directive at runtime. + * * @return $this */ public function setReportURI(string $uri) From 5ba2b785673af44a81fd7f6c34bc03e5dfdd5cdb Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 11:37:11 +0900 Subject: [PATCH 3/3] test: add test to remove report-uri --- tests/system/HTTP/ContentSecurityPolicyTest.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php index 7000a881b9d6..596fbfcf0b24 100644 --- a/tests/system/HTTP/ContentSecurityPolicyTest.php +++ b/tests/system/HTTP/ContentSecurityPolicyTest.php @@ -379,6 +379,19 @@ public function testReportURI(): void $this->assertStringContainsString('report-uri http://example.com/csptracker;', $result); } + #[PreserveGlobalState(false)] + #[RunInSeparateProcess] + public function testRemoveReportURI(): void + { + $this->prepare(); + $this->csp->reportOnly(false); + $this->csp->setReportURI(''); + $this->work(); + + $result = $this->getHeaderEmitted('Content-Security-Policy'); + $this->assertStringNotContainsString('report-uri ', $result); + } + #[PreserveGlobalState(false)] #[RunInSeparateProcess] public function testSandboxFlags(): void