Merge pull request #22 from nswdpc/feat-none-value

Add 'none' support via a checkbox
nswdpc · Mar 28, 2024 · 91be069 · 91be069
2 parents 2facc39 + fde4843
commit 91be069
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/src/Models/Directive.php b/src/Models/Directive.php
@@ -57,7 +57,8 @@ class Directive extends DataObject implements PermissionProvider
         'UnsafeInline' => 'Boolean',
         'AllowDataUri' => 'Boolean',
         'UseNonce' => 'Boolean',
-        'ReportSample' => 'Boolean'
+        'ReportSample' => 'Boolean',
+        'HasNone' => 'Boolean'  // 'none' value
     ];
 
     /**
@@ -205,6 +206,20 @@ public function getCMSFields()
         $fields->dataFieldByName('UnsafeInline')->setDescription(_t('ContentSecurityPolicy.ADD_UNSAFE_INLINE_VALUE', "Adds the 'unsafe-inline' value to this directive."));
         $fields->dataFieldByName('Enabled')->setDescription(_t('ContentSecurityPolicy.ENABLED_DIRECTIVE', "Enables this directive within linked policies"));
         $fields->dataFieldByName('ReportSample')->setDescription(_t('ContentSecurityPolicy.REPORT_SAMPLE', "Adds the 'report-sample' value to this directive. Only applicable to script-src* and style-src* violations. Will send a snippet of code that caused the violation to the reporting URL."));
+        $fields->dataFieldByName('HasNone')
+            ->setDescription(
+                _t(
+                    'ContentSecurityPolicy.NONE_VALUE_DESCRIPTION',
+                    "When enabled, elements controlled by this directive will not be allowed to load any resources."
+                    . "<br>"
+                    . "This value will be ignored by web browsers if other source expressions such as 'self' or URLs are present in the directive."
+                )
+            )->setTitle(
+                _t(
+                    'ContentSecurityPolicy.NONE_VALUE_TITLE',
+                    "Add the 'none' value"
+                )
+            );
 
         $policies = $this->Policies()->count();
         if ($policies > 1) {
@@ -344,6 +359,9 @@ public function getDirectiveValuesAsArray(bool $useFakeNonce = false) : array {
         if($this->ReportSample == 1) {
             $values[] = "'report-sample'";
         }
+        if($this->HasNone == 1) {
+            $values[] = "'none'";
+        }
         // Add the nonce if available and enabled for this directive
         if($this->UseNonce == 1) {
             if($useFakeNonce) {

diff --git a/tests/PolicyTest.php b/tests/PolicyTest.php
@@ -87,6 +87,7 @@ public function testPolicy()
             'UnsafeInline' => 0,
             'AllowDataUri' => 1,
             'ReportSample' => 1,
+            'HasNone' => 1,
             'Enabled' => 1,
         ]);
 
@@ -108,6 +109,7 @@ public function testPolicy()
         $this->assertTrue(strpos($header['policy_string'], "script-src") === 0);
         $this->assertTrue(strpos($header['policy_string'], "https://example.com https://www.example.net https://*.example.org") !== false);
         $this->assertTrue(strpos($header['policy_string'], "'report-sample'") !== false);
+        $this->assertTrue(strpos($header['policy_string'], "'none'") !== false);
 
         $this->assertArrayHasKey(Policy::DEFAULT_REPORTING_GROUP, $header['reporting_endpoints']);
         $this->assertEquals(