Fixes

Author: paulbalandan

app/Config/ContentSecurityPolicy.php

@@ -57,7 +57,7 @@ class ContentSecurityPolicy extends BaseConfig
     public $scriptSrc = 'self';
 
     /**
-     * Lists allowed scripts' URLs.
+     * Specifies valid sources for JavaScript <script> elements.
      *
      * @var list<string>|string
      */

system/HTTP/ContentSecurityPolicy.php

@@ -42,10 +42,10 @@ class ContentSecurityPolicy
         'object-src'      => 'objectSrc',
         'plugin-types'    => 'pluginTypes',
         'script-src'      => 'scriptSrc',
-        'script-src-elem' => 'scriptSrcElem',
         'style-src'       => 'styleSrc',
-        'manifest-src'    => 'manifestSrc',
         'sandbox'         => 'sandbox',
+        'manifest-src'    => 'manifestSrc',
+        'script-src-elem' => 'scriptSrcElem',
     ];
 
     /**
@@ -154,13 +154,6 @@ class ContentSecurityPolicy
      */
     protected $scriptSrc = [];
 
-    /**
-     * Used for security enforcement
-     *
-     * @var array|string
-     */
-    protected $scriptSrcElem = [];
-
     /**
      * The `style-src` directive restricts which styles the user may applies to the protected resource.
      *
@@ -193,6 +186,13 @@ class ContentSecurityPolicy
      */
     protected $manifestSrc = [];
 
+    /**
+     * The `script-src-elem` directive applies to all script requests and script blocks.
+     *
+     * @var array<string, bool>|string
+     */
+    protected $scriptSrcElem = [];
+
     /**
      * Instructs user agents to rewrite URL schemes by changing HTTP to HTTPS.
      *
@@ -658,12 +658,11 @@ public function addScriptSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for javascript file sources. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `script-src-elem` directive.
      *
      * @see https://www.w3.org/TR/CSP/#directive-script-src-elem
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -378,15 +378,17 @@ public function testScriptSrc(): void
     #[RunInSeparateProcess]
     public function testScriptSrcElem(): void
     {
-        $this->prepare();
         $this->csp->addScriptSrcElem('cdn.cloudy.com');
         $this->csp->addScriptSrcElem('them.com', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('script-src-elem them.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("script-src-elem 'self' cdn.cloudy.com;", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('script-src-elem them.com', $this->getCspDirectives($header));
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("script-src-elem 'self' cdn.cloudy.com", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]

user_guide_src/source/changelogs/v4.7.0.rst

@@ -331,8 +331,16 @@ Others
 Model
 =====
 
-Helpers and Functions
-=====================
+HTTP
+====
+
+Content Security Policy
+-----------------------
+
+- Added support for the following CSP Level 3 directives:
+    - ``script-src-elem``
+
+  Update your CSP configuration in **app/Config/ContentSecurityPolicy.php** to include these new directives as needed.
 
 Others
 ======