composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-25 11:38:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

⬆️ N°4770 Update to latest Symfony 3.4

Browse Source
This commit is contained in:
Pierre Goiffon
2022-02-10 15:18:50 +01:00
parent b494ff2ce6
commit f29a8792af
401 changed files with 4329 additions and 2378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
lib/symfony/web-profiler-bundle/Csp/ContentSecurityPolicyHandler.php
View File

@@ -127,18 +127,24 @@ class ContentSecurityPolicyHandler
$headers = $this->getCspHeaders($response);
$types = [
'script-src' => 'csp_script_nonce',
'script-src-elem' => 'csp_script_nonce',
'style-src' => 'csp_style_nonce',
'style-src-elem' => 'csp_style_nonce',
];
foreach ($headers as $header => $directives) {
foreach (['script-src' => 'csp_script_nonce', 'style-src' => 'csp_style_nonce'] as $type => $tokenName) {
foreach ($types as $type => $tokenName) {
if ($this->authorizesInline($directives, $type)) {
continue;
}
if (!isset($headers[$header][$type])) {
if (isset($headers[$header]['default-src'])) {
$headers[$header][$type] = $headers[$header]['default-src'];
} else {
// If there is no script-src/style-src and no default-src, no additional rules required.
if (null === $fallback = $this->getDirectiveFallback($directives, $type)) {
continue;
}
$headers[$header][$type] = $fallback;
}
$ruleIsSet = true;
if (!\in_array('\'unsafe-inline\'', $headers[$header][$type], true)) {
@@ -218,9 +224,7 @@ class ContentSecurityPolicyHandler
{
if (isset($directivesSet[$type])) {
$directives = $directivesSet[$type];
} elseif (isset($directivesSet['default-src'])) {
$directives = $directivesSet['default-src'];
} else {
} elseif (null === $directives = $this->getDirectiveFallback($directivesSet, $type)) {
return false;
}
@@ -244,6 +248,16 @@ class ContentSecurityPolicyHandler
return false;
}
private function getDirectiveFallback(array $directiveSet, $type)
{
if (\in_array($type, ['script-src-elem', 'style-src-elem'], true) || !isset($directiveSet['default-src'])) {
// Let the browser fallback on it's own
return null;
}
return $directiveSet['default-src'];
}
/**
* Retrieves the Content-Security-Policy headers (either X-Content-Security-Policy or Content-Security-Policy) from
* a response.