soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Relax style-src-elem to allow inline
Some checks failed
linter / quality (push) Has been cancelled
Details
tests / ci (push) Has been cancelled
Details
tests / ui (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Codex Agent
2026-01-24 23:41:53 +01:00
parent 84e253b61c
commit c4ac38e41a
2 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/Http/Middleware/ContentSecurityPolicy.php
View File

@@ -118,7 +118,11 @@ class ContentSecurityPolicy
$styleSources[] = 'data:'; $styleSources[] = 'data:';
$connectSources[] = 'https:'; $connectSources[] = 'https:';
$fontSources[] = 'https:'; $fontSources[] = 'https:';
$styleElemSources = array_unique(array_merge($styleSources, ["'unsafe-inline'"])); $styleElemSources = array_values(array_filter(
$styleSources,
static fn (string $source): bool => ! str_starts_with($source, "'nonce-")
));
$styleElemSources = array_unique(array_merge($styleElemSources, ["'unsafe-inline'"]));
$directives = [ $directives = [
'default-src' => ["'self'"], 'default-src' => ["'self'"],

4
tests/Feature/SecurityHeadersTest.php
View File

@@ -37,7 +37,7 @@ class SecurityHeadersTest extends TestCase
$response->assertHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()'); $response->assertHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
$response->assertHeader('Content-Security-Policy'); $response->assertHeader('Content-Security-Policy');
$response->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'"); $response->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'");
$response->assertHeaderContains('Content-Security-Policy', "'unsafe-inline'; style-src-attr"); $response->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self' https: data: 'unsafe-inline'");
$response->assertHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); $response->assertHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
$response->assertCookie('XSRF-TOKEN'); $response->assertCookie('XSRF-TOKEN');
@@ -49,7 +49,7 @@ class SecurityHeadersTest extends TestCase
$login->assertOk(); $login->assertOk();
$login->assertHeader('Content-Security-Policy'); $login->assertHeader('Content-Security-Policy');
$login->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'"); $login->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'");
$login->assertHeaderContains('Content-Security-Policy', "'unsafe-inline'; style-src-attr"); $login->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self' https: data: 'unsafe-inline'");
$login->assertHeader('X-Frame-Options', 'SAMEORIGIN'); $login->assertHeader('X-Frame-Options', 'SAMEORIGIN');
$login->assertCookie('XSRF-TOKEN'); $login->assertCookie('XSRF-TOKEN');
} finally { } finally {