Content-Security-Policy implements MultipleHeaderInterface

michalbundyra · michalbundyra · commit 67ddca837d9a · 2019-09-28T12:45:26.000+01:00
This header can be provided multiple times Ref: https://w3c.github.io/webappsec-csp/#multiple-policies Fixes #159
diff --git a/src/Header/ContentSecurityPolicy.php b/src/Header/ContentSecurityPolicy.php
@@ -12,7 +12,7 @@
  *
  * @link http://www.w3.org/TR/CSP/
  */
-class ContentSecurityPolicy implements HeaderInterface
+class ContentSecurityPolicy implements MultipleHeaderInterface
 {
     /**
      * Valid directive names
@@ -154,4 +154,20 @@ public function toString()
     {
         return sprintf('%s: %s', $this->getFieldName(), $this->getFieldValue());
     }
+
+    public function toStringMultipleHeaders(array $headers)
+    {
+        $strings = [$this->toString()];
+        foreach ($headers as $header) {
+            if (! $header instanceof ContentSecurityPolicy) {
+                throw new Exception\RuntimeException(
+                    'The ContentSecurityPolicy multiple header implementation can only'
+                    . ' accept an array of ContentSecurityPolicy headers'
+                );
+            }
+            $strings[] = $header->toString();
+        }
+
+        return implode("\r\n", $strings) . "\r\n";
+    }
 }
diff --git a/src/HeaderLoader.php b/src/HeaderLoader.php
@@ -36,6 +36,7 @@ class HeaderLoader extends PluginClassLoader
         'contentlocation'         => Header\ContentLocation::class,
         'contentmd5'              => Header\ContentMD5::class,
         'contentrange'            => Header\ContentRange::class,
+        'contentsecuritypolicy'   => Header\ContentSecurityPolicy::class,
         'contenttransferencoding' => Header\ContentTransferEncoding::class,
         'contenttype'             => Header\ContentType::class,
         'cookie'                  => Header\Cookie::class,
diff --git a/test/Header/ContentSecurityPolicyTest.php b/test/Header/ContentSecurityPolicyTest.php
@@ -8,9 +8,13 @@
 namespace ZendTest\Http\Header;
 
 use PHPUnit\Framework\TestCase;
+use Zend\Http\Exception\RuntimeException;
 use Zend\Http\Header\ContentSecurityPolicy;
 use Zend\Http\Header\Exception\InvalidArgumentException;
+use Zend\Http\Header\GenericHeader;
 use Zend\Http\Header\HeaderInterface;
+use Zend\Http\Header\MultipleHeaderInterface;
+use Zend\Http\Headers;
 
 class ContentSecurityPolicyTest extends TestCase
 {
@@ -25,6 +29,7 @@ public function testContentSecurityPolicyFromStringParsesDirectivesCorrectly()
         $csp = ContentSecurityPolicy::fromString(
             "Content-Security-Policy: default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self';"
         );
+        $this->assertInstanceOf(MultipleHeaderInterface::class, $csp);
         $this->assertInstanceOf(HeaderInterface::class, $csp);
         $this->assertInstanceOf(ContentSecurityPolicy::class, $csp);
         $directives = [
@@ -139,4 +144,47 @@ public function testContentSecurityPolicySetDirectiveWithEmptyReportUriRemovesEx
             $csp->toString()
         );
     }
+
+    public function testToStringMultipleHeaders()
+    {
+        $csp = new ContentSecurityPolicy();
+        $csp->setDirective('default-src', ["'self'"]);
+
+        $additional = new ContentSecurityPolicy();
+        $additional->setDirective('img-src', ['https://*.github.com']);
+
+        self::assertSame(
+            "Content-Security-Policy: default-src 'self';\r\n"
+            . "Content-Security-Policy: img-src https://*.github.com;\r\n",
+            $csp->toStringMultipleHeaders([$additional])
+        );
+    }
+
+    public function testToStringMultipleHeadersExceptionIfDifferent()
+    {
+        $csp = new ContentSecurityPolicy();
+        $csp->setDirective('default-src', ["'self'"]);
+
+        $additional = new GenericHeader();
+
+        $this->expectException(RuntimeException::class);
+        $this->expectExceptionMessage(
+            'The ContentSecurityPolicy multiple header implementation'
+            . ' can only accept an array of ContentSecurityPolicy headers'
+        );
+        $csp->toStringMultipleHeaders([$additional]);
+    }
+
+    public function testMultiple()
+    {
+        $headers = new Headers();
+        $headers->addHeader((new ContentSecurityPolicy())->setDirective('default-src', ["'self'"]));
+        $headers->addHeader((new ContentSecurityPolicy())->setDirective('img-src', ['https://*.github.com']));
+
+        self::assertSame(
+            "Content-Security-Policy: default-src 'self';\r\n"
+            . "Content-Security-Policy: img-src https://*.github.com;\r\n",
+            $headers->toString()
+        );
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`	`*`
`13`	`13`	`* @link http://www.w3.org/TR/CSP/`
`14`	`14`	`*/`
`15`		`-class ContentSecurityPolicy implements HeaderInterface`
	`15`	`+class ContentSecurityPolicy implements MultipleHeaderInterface`
`16`	`16`	`{`
`17`	`17`	`/**`
`18`	`18`	`* Valid directive names`
`@@ -154,4 +154,20 @@ public function toString()`
`154`	`154`	`{`
`155`	`155`	`return sprintf('%s: %s', $this->getFieldName(), $this->getFieldValue());`
`156`	`156`	`}`
	`157`	`+`
	`158`	`+ public function toStringMultipleHeaders(array $headers)`
	`159`	`+ {`
	`160`	`+ $strings = [$this->toString()];`
	`161`	`+ foreach ($headers as $header) {`
	`162`	`+ if (! $header instanceof ContentSecurityPolicy) {`
	`163`	`+ throw new Exception\RuntimeException(`
	`164`	`+ 'The ContentSecurityPolicy multiple header implementation can only'`
	`165`	`+ . ' accept an array of ContentSecurityPolicy headers'`
	`166`	`+ );`
	`167`	`+ }`
	`168`	`+ $strings[] = $header->toString();`
	`169`	`+ }`
	`170`	`+`
	`171`	`+ return implode("\r\n", $strings) . "\r\n";`
	`172`	`+ }`
`157`	`173`	`}`