feat: add ContentSecurityPolicy::clearDirective()

codeigniter4 · Nov 15, 2023 · d390403 · d390403
1 parent b7a918e
commit d390403
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
@@ -819,4 +819,14 @@ protected function addToHeader(string $name, $values = null)
             $this->reportOnlyHeaders[$name] = implode(' ', $reportSources);
         }
     }
+
+    /**
+     * Clear the directive.
+     *
+     * @param string $directive CSP directive
+     */
+    public function clearDirective(string $directive): void
+    {
+        $this->{$this->directives[$directive]} = [];
+    }
 }
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -642,4 +642,19 @@ public function testHeaderScriptNonceEmittedOnceGetScriptNonceCalled(): void
         $result = $this->getHeaderEmitted('Content-Security-Policy');
         $this->assertStringContainsString("script-src 'self' 'nonce-", $result);
     }
+
+    public function testClearDirective(): void
+    {
+        $this->prepare();
+
+        $this->csp->addStyleSrc('css.example.com');
+        $this->csp->clearDirective('style-src');
+
+        $this->csp->finalize($this->response);
+
+        $header = $this->response->getHeaderLine('Content-Security-Policy');
+
+        $this->assertStringNotContainsString('style-src ', $header);
+        $this->assertStringNotContainsString('css.example.com', $header);
+    }
 }