Don't add csp-headers if none are required

arjenm · arjenm · commit 6fecc94103cb · 2017-01-17T09:49:30.000+01:00
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php b/src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php
@@ -135,7 +135,8 @@ private function updateCspHeaders(Response $response, array $nonces = array())
                     if (isset($headers[$header]['default-src'])) {
                         $headers[$header][$type] = $headers[$header]['default-src'];
                     } else {
-                        $headers[$header][$type] = array();
+                        // If there is no script-src/style-src and no default-src, no additional rules required.
+                        continue;
                     }
                 }
                 $ruleIsSet = true;
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php b/src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php
@@ -118,6 +118,13 @@ public function provideRequestAndResponsesForOnKernelResponse()
                 $this->createResponse($responseNonceHeaders),
                 array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
             ),
+            array(
+                $nonce,
+                array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
+                $this->createRequest(),
+                $this->createResponse(array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:')),
+                array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'X-Content-Security-Policy' => null),
+            ),
             array(
                 $nonce,
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
@@ -130,7 +137,7 @@ public function provideRequestAndResponsesForOnKernelResponse()
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
                 $this->createResponse(array('Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'')),
-                array('Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null),
+                array('Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'', 'X-Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
@@ -144,21 +151,21 @@ public function provideRequestAndResponsesForOnKernelResponse()
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
                 $this->createResponse(array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'')),
-                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy' => null),
+                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'', 'Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
                 $this->createResponse(array('X-Content-Security-Policy' => 'script-src \'self\'')),
-                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy' => null),
+                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
                 $this->createResponse(array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'sha384-LALALALALAAL\'')),
-                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'sha384-LALALALALAAL\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy' => null),
+                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'sha384-LALALALALAAL\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy' => null),
             ),
             array(
                 $nonce,

Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,8 @@ private function updateCspHeaders(Response $response, array $nonces = array())`
`135`	`135`	`if (isset($headers[$header]['default-src'])) {`
`136`	`136`	`$headers[$header][$type] = $headers[$header]['default-src'];`
`137`	`137`	`} else {`
`138`		`- $headers[$header][$type] = array();`
	`138`	`+ // If there is no script-src/style-src and no default-src, no additional rules required.`
	`139`	`+ continue;`
`139`	`140`	`}`
`140`	`141`	`}`
`141`	`142`	`$ruleIsSet = true;`