This repository was archived by the owner on Jan 30, 2020. It is now read-only.
This repository was archived by the owner on Jan 30, 2020. It is now read-only.
Missing directives in ContentSecurityPolicy (Level 3) #163
Description
- I was not able to find an open or closed issue matching what I'm seeing.
- This is not a question. (Questions should be asked on chat (Signup here) or our forums.)
Current Zend\Http\Header\ContentSecurityPolicy is too old (CSP 1.0 Header) and should be updated to follow CSP Level 3 (according to https://www.w3.org/TR/CSP/)
So, Some directives are missing in Fetch directive
- child-src
- manifest-src
- worker-src
- prefetch-src
- script-src-elem
- script-src-attr
- style-src-elem
- style-src-attr
And some Navigation, Document and Reporting directives are missing.
- base-uri
- plugin-types
- form-action
- frame-ancestors
- navigate-to
- report-to
Code to reproduce the issue
$csp = new ContentSecurityPolicy();
$csp->setDirective('worker-src', ['https://*.google.com', 'http://foo.com']);
$csp->toString();Expected results
toString() should return "Content-Security-Policy: worker-src https://*.google.com http://foo.com;"
Actual results
Throw a Exception\InvalidArgumentException