feat: Add CSP3 script-src-elem directive (#9722)

* feat: Add script-src-elem option to CSP options.

Signed-off-by: Mark Unwin <mark.unwin@gmail.com>

* fix: Add missing unit test for script-src-elem.

Signed-off-by: Mark Unwin <mark.unwin@gmail.com>

* Fixes

---------

Signed-off-by: Mark Unwin <mark.unwin@gmail.com>
Co-authored-by: John Paul E. Balandan, CPA <paulbalandan@gmail.com>

Author: mark-unwin

app/Config/ContentSecurityPolicy.php

@@ -56,6 +56,13 @@ class ContentSecurityPolicy extends BaseConfig
      */
     public $scriptSrc = 'self';
 
+    /**
+     * Specifies valid sources for JavaScript <script> elements.
+     *
+     * @var list<string>|string
+     */
+    public $scriptSrcElem = 'self';
+
     /**
      * Lists allowed stylesheets' URLs.
      *

system/HTTP/ContentSecurityPolicy.php

@@ -43,8 +43,9 @@ class ContentSecurityPolicy
         'plugin-types'    => 'pluginTypes',
         'script-src'      => 'scriptSrc',
         'style-src'       => 'styleSrc',
-        'manifest-src'    => 'manifestSrc',
         'sandbox'         => 'sandbox',
+        'manifest-src'    => 'manifestSrc',
+        'script-src-elem' => 'scriptSrcElem',
     ];
 
     /**
@@ -185,6 +186,13 @@ class ContentSecurityPolicy
      */
     protected $manifestSrc = [];
 
+    /**
+     * The `script-src-elem` directive applies to all script requests and script blocks.
+     *
+     * @var array<string, bool>|string
+     */
+    protected $scriptSrcElem = [];
+
     /**
      * Instructs user agents to rewrite URL schemes by changing HTTP to HTTPS.
      *
@@ -649,6 +657,22 @@ public function addScriptSrc($uri, ?bool $explicitReporting = null)
         return $this;
     }
 
+    /**
+     * Adds a new value to the `script-src-elem` directive.
+     *
+     * @see https://www.w3.org/TR/CSP/#directive-script-src-elem
+     *
+     * @param list<string>|string $uri
+     *
+     * @return $this
+     */
+    public function addScriptSrcElem($uri, ?bool $explicitReporting = null)
+    {
+        $this->addOption($uri, 'scriptSrcElem', $explicitReporting ?? $this->reportOnly);
+
+        return $this;
+    }
+
     /**
      * Adds a new value to the `style-src` directive.
      *

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -374,6 +374,23 @@ public function testScriptSrc(): void
         $this->assertContains("script-src 'self' cdn.cloudy.com", $this->getCspDirectives($header));
     }
 
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testScriptSrcElem(): void
+    {
+        $this->csp->addScriptSrcElem('cdn.cloudy.com');
+        $this->csp->addScriptSrcElem('them.com', true);
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('script-src-elem them.com', $this->getCspDirectives($header));
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("script-src-elem 'self' cdn.cloudy.com", $this->getCspDirectives($header));
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testStyleSrc(): void

user_guide_src/source/changelogs/v4.7.0.rst

@@ -331,8 +331,16 @@ Others
 Model
 =====
 
-Helpers and Functions
-=====================
+HTTP
+====
+
+Content Security Policy
+-----------------------
+
+- Added support for the following CSP Level 3 directives:
+    - ``script-src-elem``
+
+  Update your CSP configuration in **app/Config/ContentSecurityPolicy.php** to include these new directives as needed.
 
 Others
 ======