@@ -284,7 +284,7 @@ class ContentSecurityPolicyHeaderBuilder
284284 *
285285 * @var string
286286 */
287- const FRAME_OPTION_DENY = 'DENY ' ;
287+ const FRAME_OPTION_DENY = 'DENY ' ;
288288
289289 /**
290290 * Valid value for the 'X-Frame-Options' header. UA's will refuse to load any resource that sets the value of this
@@ -293,7 +293,7 @@ class ContentSecurityPolicyHeaderBuilder
293293 *
294294 * @var string
295295 */
296- const FRAME_OPTION_SAME_ORIGIN = 'SAMEORIGIN ' ;
296+ const FRAME_OPTION_SAME_ORIGIN = 'SAMEORIGIN ' ;
297297
298298 /**
299299 * Valid value for the 'X-Frame-Options' header. UA's will refuse to load any resource that sets the value of this
@@ -302,7 +302,7 @@ class ContentSecurityPolicyHeaderBuilder
302302 *
303303 * @var string
304304 */
305- const FRAME_OPTION_ALLOW_FROM = 'ALLOW-FROM %s ' ;
305+ const FRAME_OPTION_ALLOW_FROM = 'ALLOW-FROM %s ' ;
306306
307307 /**
308308 * All valid values for the 'X-Frame-Options' header.
@@ -378,6 +378,16 @@ class ContentSecurityPolicyHeaderBuilder
378378 */
379379 protected $ reportUrinull ;
380380
381+ /**
382+ * @var string
383+ */
384+ protected $ upgradeInsecureRequestsDirective'upgrade-insecure-requests ' ;
385+
386+ /**
387+ * @var bool
388+ */
389+ protected $ upgradeInsecureRequestsfalse ;
390+
381391 /**
382392 * @param bool $enforce
383393 */
@@ -451,6 +461,14 @@ public function setFrameOptions($policy, $origin = '')
451461 $ this frameOptionsValue = trim (sprintf ($ policy$ origin
452462 }
453463
464+ /**
465+ * @param bool $upgrade
466+ */
467+ public function setUpgradeInsecureRequests ($ upgrade
468+ {
469+ $ this upgradeInsecureRequests = $ upgrade
470+ }
471+
454472 /**
455473 * @param string $uri
456474 */
@@ -543,7 +561,8 @@ public function addSourceExpression($directive, $expression)
543561 if (!(
544562 isset ($ this directives [$ directive'expressions ' ])
545563 && is_array ($ this directives [$ directive'expressions ' ])
546- )) {
564+ )
565+ ) {
547566 $ this directives [$ directive'expressions ' ] = [];
548567 }
549568
@@ -601,6 +620,10 @@ public function getValue()
601620 $ directivessprintf ('%s %s ' , 'reflected-xss ' , $ this reflectedXssValue );
602621 }
603622
623+ if ($ this upgradeInsecureRequests ) {
624+ $ directives$ this upgradeInsecureRequestsDirective ;
625+ }
626+
604627 if (!is_null ($ this referrerValue )) {
605628 $ directivessprintf ('%s %s ' , 'referrer ' , $ this referrerValue );
606629 }
@@ -628,7 +651,7 @@ public function getHeaders($includeLegacy)
628651 $ headers
629652 } else {
630653 $ headers
631- 'name ' => $ this getHeaderName (),
654+ 'name ' => $ this getHeaderName (),
632655 'value ' => $ value
633656 ];
634657 }
@@ -691,7 +714,7 @@ private function parseDirectiveValue($directive)
691714 }
692715 }
693716
694- return trim (implode (' ' , array_map (function ($ value
717+ return trim (implode (' ' , array_map (function ($ value
695718 return $ this encodeDirectiveValue ($ value
696719 }, $ expressions
697720 }
@@ -748,21 +771,21 @@ private function getLegacyXssHeader($reflectedXssValue)
748771 switch ($ reflectedXssValue
749772 case 'allow ' :
750773 $ header
751- 'name ' => $ this legacyXssHeader ,
774+ 'name ' => $ this legacyXssHeader ,
752775 'value ' => '0 '
753776 ];
754777 break ;
755778
756779 case 'filter ' :
757780 $ header
758- 'name ' => $ this legacyXssHeader ,
781+ 'name ' => $ this legacyXssHeader ,
759782 'value ' => '1 '
760783 ];
761784 break ;
762785
763786 case 'block ' :
764787 $ header
765- 'name ' => $ this legacyXssHeader ,
788+ 'name ' => $ this legacyXssHeader ,
766789 'value ' => '1; mode=block '
767790 ];
768791 break ;
@@ -781,7 +804,7 @@ private function getLegacyFrameOptionsHeader()
781804 }
782805
783806 return [
784- 'name ' => $ this legacyFrameOptionsHeader ,
807+ 'name ' => $ this legacyFrameOptionsHeader ,
785808 'value ' => $ this frameOptionsValue
786809 ];
787810 }
0 commit comments