Merge pull request #65 from fritzmg/patch-1

Generate nonce also when only `default-src` policy is applied

src/CSPBuilder.php

@@ -526,7 +526,7 @@ public function injectCSPHeader(MessageInterface $message, bool $legacy = false)
     public function nonce(string $directive = 'script-src', string $nonce = ''): string
     {
         $ruleKeys = array_keys($this->policies);
-        if (!in_array($directive, $ruleKeys)) {
+        if (!in_array($directive, $ruleKeys) && !in_array('default-src', $ruleKeys)) {
             return '';
         }
 

test/BasicTest.php

@@ -274,6 +274,37 @@ public function testAllowUnsafeInline()
         $this->assertStringContainsString("'unsafe-inline'", $compiled);
     }
 
+    /**
+     * @covers CSPBuilder::nonce()
+     * @throws \Exception
+     */
+    public function testNonce()
+    {
+        $csp = new CSPBuilder();
+
+        $this->assertEmpty($csp->nonce('script-src'));
+        $this->assertEmpty($csp->nonce('style-src'));
+
+        $csp->setSelfAllowed('script-src', true);
+        $csp->setSelfAllowed('style-src', true);
+
+        $this->assertNotEmpty($csp->nonce('script-src'));
+        $this->assertNotEmpty($csp->nonce('style-src'));
+    }
+
+    /**
+     * @covers CSPBuilder::nonce()
+     * @throws \Exception
+     */
+    public function testNonceWithDefaultSrc()
+    {
+        $csp = new CSPBuilder();
+        $csp->setSelfAllowed('default-src', true);
+
+        $this->assertNotEmpty($csp->nonce('script-src'));
+        $this->assertNotEmpty($csp->nonce('style-src'));
+    }
+
     /**
      * @covers \ParagonIE\CSPBuilder\CSPBuilder
      */