Merge pull request #42 from iangcarroll/patch-2

Break out the report-to directive from report-uri.
paragonie · Oct 19, 2019 · ab3f33f · ab3f33f
2 parents 3b05cbb + d6867fc
commit ab3f33f
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 6 deletions.
diff --git a/src/CSPBuilder.php b/src/CSPBuilder.php
@@ -114,10 +114,13 @@ public function compile(): string
             if (!\is_string($this->policies['report-uri'])) {
                 throw new \TypeError('report-uri policy somehow not a string');
             }
-            if ($this->supportOldBrowsers) {
-                $compiled [] = 'report-uri ' . $this->policies['report-uri'] . '; ';
+            $compiled [] = 'report-uri ' . $this->policies['report-uri'] . '; ';
+        }
+        if (!empty($this->policies['report-to'])) {
+            if (!\is_string($this->policies['report-to'])) {
+                throw new \TypeError('report-to policy somehow not a string');
             }
-            $compiled []= 'report-to ' . $this->policies['report-uri'] . '; ';
+            $compiled []= 'report-to ' . $this->policies['report-to'] . '; ';
         }
         if (!empty($this->policies['upgrade-insecure-requests'])) {
             $compiled []= 'upgrade-insecure-requests';
@@ -723,6 +726,18 @@ public function setReportUri(string $url = ''): self
         $this->policies['report-uri'] = $url;
         return $this;
     }
+
+    /**
+     * Set the report-to directive to the desired string.
+     *
+     * @param string $policy
+     * @return self
+     */
+    public function setReportTo(string $policy = ''): self
+    {
+        $this->policies['report-to'] = $policy;
+        return $this;
+    }
 
     /**
      * Compile a subgroup into a policy string

diff --git a/test/vectors/basic-csp-hash.out b/test/vectors/basic-csp-hash.out
@@ -1 +1 @@
-base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng=' 'sha384-YlVjjxmBPFrOTrK8RYTXMzr/Pt2Tyv2yi4yMalWlUERx821L2qJpIJNvAnO6ouM/'; style-src 'self'; report-uri /csp_violation; report-to /csp_violation; upgrade-insecure-requests
+base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng=' 'sha384-YlVjjxmBPFrOTrK8RYTXMzr/Pt2Tyv2yi4yMalWlUERx821L2qJpIJNvAnO6ouM/'; style-src 'self'; report-uri /csp_violation; report-to csp; upgrade-insecure-requests
diff --git a/test/vectors/basic-csp-no-old.out b/test/vectors/basic-csp-no-old.out
@@ -1 +1 @@
-base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' ytimg.com data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng='; style-src 'self'; report-to /csp_violation; upgrade-insecure-requests
+base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' ytimg.com data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng='; style-src 'self'; report-uri /csp_violation; report-to csp; upgrade-insecure-requests
diff --git a/test/vectors/basic-csp.json b/test/vectors/basic-csp.json
@@ -1,6 +1,7 @@
 {
     "report-only": false,
     "report-uri": "/csp_violation",
+    "report-to": "csp",
     "base-uri": {
         "self": true
     },

diff --git a/test/vectors/basic-csp.out b/test/vectors/basic-csp.out
@@ -1 +1 @@
-base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' https://ytimg.com ytimg.com data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng='; style-src 'self'; report-uri /csp_violation; report-to /csp_violation; upgrade-insecure-requests
+base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' https://ytimg.com ytimg.com data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng='; style-src 'self'; report-uri /csp_violation; report-to csp; upgrade-insecure-requests
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng=' 'sha384-YlVjjxmBPFrOTrK8RYTXMzr/Pt2Tyv2yi4yMalWlUERx821L2qJpIJNvAnO6ouM/'; style-src 'self'; report-uri /csp_violation; report-to /csp_violation; upgrade-insecure-requests
		base-uri 'self'; default-src 'self'; child-src https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self'; font-src 'self'; form-action 'self' https://example.com; frame-ancestors 'none'; img-src 'self' data:; media-src 'none'; object-src 'none'; script-src 'self' https://ajax.googleapis.com https://cdn.mathjax.org https://oss.maxcdn.com https://www.google-analytics.com 'sha256-qznLcsROx4GACP2dm0UCKCzCGHiZ1guq6ZZDob/Tng=' 'sha384-YlVjjxmBPFrOTrK8RYTXMzr/Pt2Tyv2yi4yMalWlUERx821L2qJpIJNvAnO6ouM/'; style-src 'self'; report-uri /csp_violation; report-to csp; upgrade-insecure-requests