Adds support for additional directives in Content-Security-Policy header

Additional supported directives are:
- block-all-mixed-content
- require-sri-for
- trusted-types
- upgrade-insecure-requests

Author: michalbundyra

src/Header/ContentSecurityPolicy.php

@@ -53,6 +53,12 @@ class ContentSecurityPolicy implements MultipleHeaderInterface
         // Reporting directives
         'report-uri',
         'report-to',
+
+        // Other directives
+        'block-all-mixed-content',
+        'require-sri-for',
+        'trusted-types',
+        'upgrade-insecure-requests',
     ];
 
     /**
@@ -91,13 +97,29 @@ public function setDirective($name, array $sources)
                 (string) $name
             ));
         }
+
+        if ($name === 'block-all-mixed-content'
+            || $name === 'upgrade-insecure-requests'
+        ) {
+            if ($sources) {
+                throw new Exception\InvalidArgumentException(sprintf(
+                    'Received value for %s directive; none expected',
+                    $name
+                ));
+            }
+
+            $this->directives[$name] = '';
+            return $this;
+        }
+
         if (empty($sources)) {
             if ('report-uri' === $name) {
                 if (isset($this->directives[$name])) {
                     unset($this->directives[$name]);
                 }
                 return $this;
             }
+
             $this->directives[$name] = "'none'";
             return $this;
         }
@@ -166,7 +188,7 @@ public function getFieldValue()
         foreach ($this->directives as $name => $value) {
             $directives[] = sprintf('%s %s;', $name, $value);
         }
-        return implode(' ', $directives);
+        return str_replace(' ;', ';', implode(' ', $directives));
     }
 
     /**

test/Header/ContentSecurityPolicyTest.php

@@ -213,6 +213,12 @@ public static function validDirectives()
             ],
             ['navigate-to', ['example.com'], 'Content-Security-Policy: navigate-to example.com;'],
             ['sandbox', ['allow-forms'], 'Content-Security-Policy: sandbox allow-forms;'],
+
+            // Other directives
+            ['block-all-mixed-content', [], 'Content-Security-Policy: block-all-mixed-content;'],
+            ['require-sri-for', ['script', 'style'], 'Content-Security-Policy: require-sri-for script style;'],
+            ['trusted-types', ['*'], 'Content-Security-Policy: trusted-types *;'],
+            ['upgrade-insecure-requests', [], 'Content-Security-Policy: upgrade-insecure-requests;'],
         ];
     }
 
@@ -248,4 +254,27 @@ public function testFromString($directive, array $values, $header)
         self::assertArrayHasKey($directive, $contentSecurityPolicy->getDirectives());
         self::assertSame(implode(' ', $values), $contentSecurityPolicy->getDirectives()[$directive]);
     }
+
+    /**
+     * @return string
+     */
+    public function directivesWithoutValue()
+    {
+        yield ['block-all-mixed-content'];
+        yield ['upgrade-insecure-requests'];
+    }
+
+    /**
+     * @dataProvider directivesWithoutValue
+     *
+     * @param string $directive
+     */
+    public function testExceptionWhenProvideValueWithDirectiveWithoutValue($directive)
+    {
+        $csp = new ContentSecurityPolicy();
+
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage($directive);
+        $csp->setDirective($directive, ['something']);
+    }
 }