From d3904035f244349531ae68dcbafe8d2babbe194c Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Wed, 15 Nov 2023 17:49:19 +0900
Subject: [PATCH] feat: add ContentSecurityPolicy::clearDirective()

---
 system/HTTP/ContentSecurityPolicy.php           | 10 ++++++++++
 tests/system/HTTP/ContentSecurityPolicyTest.php | 15 +++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index dedc715c5828..30ae1b09919d 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -819,4 +819,14 @@ protected function addToHeader(string $name, $values = null)
             $this->reportOnlyHeaders[$name] = implode(' ', $reportSources);
         }
     }
+
+    /**
+     * Clear the directive.
+     *
+     * @param string $directive CSP directive
+     */
+    public function clearDirective(string $directive): void
+    {
+        $this->{$this->directives[$directive]} = [];
+    }
 }
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index 81fd2d998602..30dd975b4cf1 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -642,4 +642,19 @@ public function testHeaderScriptNonceEmittedOnceGetScriptNonceCalled(): void
         $result = $this->getHeaderEmitted('Content-Security-Policy');
         $this->assertStringContainsString("script-src 'self' 'nonce-", $result);
     }
+
+    public function testClearDirective(): void
+    {
+        $this->prepare();
+
+        $this->csp->addStyleSrc('css.example.com');
+        $this->csp->clearDirective('style-src');
+
+        $this->csp->finalize($this->response);
+
+        $header = $this->response->getHeaderLine('Content-Security-Policy');
+
+        $this->assertStringNotContainsString('style-src ', $header);
+        $this->assertStringNotContainsString('css.example.com', $header);
+    }
 }