Change naming and explain better

Author: jim-parry

application/Config/ContentSecurityPolicy.php

@@ -25,18 +25,18 @@ class ContentSecurityPolicy extends BaseConfig
 	// sources allowed; string or array of strings
 	// Note: once you set a policy to 'none', it cannot be further restricted
 
-	public $defaultSrc     = null;
+	public $defaultSrc     = 'self';
 	public $scriptSrc      = 'self';
 	public $styleSrc       = 'self';
 	public $imageSrc       = 'self';
-	public $baseURI        = null;
-	public $childSrc       = null;
+	public $baseURI        = 'self';
+	public $childSrc       = 'self';
 	public $connectSrc     = 'self';
 	public $fontSrc        = null;
-	public $formAction     = null;
+	public $formAction     = 'self';
 	public $frameAncestors = null;
 	public $mediaSrc       = null;
-	public $objectSrc      = null;
+	public $objectSrc      = 'self';
 	public $manifestSrc    = null;
 
 	// mime types allowed; string or array of strings

system/HTTP/ContentSecurityPolicy.php

@@ -279,13 +279,13 @@ public function reportOnly(bool $value = true)
 	 * @see http://www.w3.org/TR/CSP/#directive-base-uri
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addBaseURI($uri, ?bool $override = null)
+	public function addBaseURI($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'baseURI', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'baseURI', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -303,13 +303,13 @@ public function addBaseURI($uri, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-child-src
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addChildSrc($uri, ?bool $override = null)
+	public function addChildSrc($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'childSrc', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'childSrc', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -326,13 +326,13 @@ public function addChildSrc($uri, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-connect-src
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addConnectSrc($uri, ?bool $override = null)
+	public function addConnectSrc($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'connectSrc', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'connectSrc', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -349,13 +349,13 @@ public function addConnectSrc($uri, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-default-src
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function setDefaultSrc($uri, ?bool $override = null)
+	public function setDefaultSrc($uri, ?bool $explicitReporting = null)
 	{
-		$this->defaultSrc = [(string) $uri => $override ?? $this->reportOnly];
+		$this->defaultSrc = [(string) $uri => $explicitReporting ?? $this->reportOnly];
 
 		return $this;
 	}
@@ -371,13 +371,13 @@ public function setDefaultSrc($uri, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-font-src
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addFontSrc($uri, ?bool $override = null)
+	public function addFontSrc($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'fontSrc', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'fontSrc', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -391,13 +391,13 @@ public function addFontSrc($uri, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-form-action
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addFormAction($uri, ?bool $override = null)
+	public function addFormAction($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'formAction', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'formAction', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -411,13 +411,13 @@ public function addFormAction($uri, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-frame-ancestors
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addFrameAncestor($uri, ?bool $override = null)
+	public function addFrameAncestor($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'frameAncestors', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'frameAncestors', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -431,13 +431,13 @@ public function addFrameAncestor($uri, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-img-src
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addImageSrc($uri, ?bool $override = null)
+	public function addImageSrc($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'imageSrc', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'imageSrc', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -451,13 +451,13 @@ public function addImageSrc($uri, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-media-src
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addMediaSrc($uri, ?bool $override = null)
+	public function addMediaSrc($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'mediaSrc', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'mediaSrc', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -471,13 +471,13 @@ public function addMediaSrc($uri, ?bool $override = null)
 	 * @see https://www.w3.org/TR/CSP/#directive-manifest-src
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addManifestSrc($uri, ?bool $override = null)
+	public function addManifestSrc($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'manifestSrc', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'manifestSrc', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -491,13 +491,13 @@ public function addManifestSrc($uri, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-object-src
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addObjectSrc($uri, ?bool $override = null)
+	public function addObjectSrc($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'objectSrc', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'objectSrc', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -510,14 +510,14 @@ public function addObjectSrc($uri, ?bool $override = null)
 	 *
 	 * @see http://www.w3.org/TR/CSP/#directive-plugin-types
 	 *
-	 * @param string|array $mime     One or more plugin mime types, separate by spaces
-	 * @param boolean|null $override
+	 * @param string|array $mime              One or more plugin mime types, separate by spaces
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addPluginType($mime, ?bool $override = null)
+	public function addPluginType($mime, ?bool $explicitReporting = null)
 	{
-		$this->addOption($mime, 'pluginTypes', $override ?? $this->reportOnly);
+		$this->addOption($mime, 'pluginTypes', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -549,14 +549,14 @@ public function setReportURI($uri)
 	 *
 	 * @see http://www.w3.org/TR/CSP/#directive-sandbox
 	 *
-	 * @param string|array $flags    An array of sandbox flags that can be added to the directive.
-	 * @param boolean|null $override
+	 * @param string|array $flags             An array of sandbox flags that can be added to the directive.
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addSandbox($flags, ?bool $override = null)
+	public function addSandbox($flags, ?bool $explicitReporting = null)
 	{
-		$this->addOption($flags, 'sandbox', $override ?? $this->reportOnly);
+		$this->addOption($flags, 'sandbox', $explicitReporting ?? $this->reportOnly);
 		return $this;
 	}
 
@@ -569,13 +569,13 @@ public function addSandbox($flags, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-connect-src
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addScriptSrc($uri, ?bool $override = null)
+	public function addScriptSrc($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'scriptSrc', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'scriptSrc', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -589,13 +589,13 @@ public function addScriptSrc($uri, ?bool $override = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-connect-src
 	 *
 	 * @param string|array $uri
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 *
 	 * @return $this
 	 */
-	public function addStyleSrc($uri, ?bool $override = null)
+	public function addStyleSrc($uri, ?bool $explicitReporting = null)
 	{
-		$this->addOption($uri, 'styleSrc', $override ?? $this->reportOnly);
+		$this->addOption($uri, 'styleSrc', $explicitReporting ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -626,9 +626,9 @@ public function upgradeInsecureRequests(bool $value = true)
 	 *
 	 * @param string|array $options
 	 * @param string       $target
-	 * @param boolean|null $override
+	 * @param boolean|null $explicitReporting
 	 */
-	protected function addOption($options, string $target, ?bool $override = null)
+	protected function addOption($options, string $target, ?bool $explicitReporting = null)
 	{
 		// Ensure we have an array to work with...
 		if (is_string($this->{$target}))
@@ -640,12 +640,12 @@ protected function addOption($options, string $target, ?bool $override = null)
 		{
 			foreach ($options as $opt)
 			{
-				$this->{$target}[$opt] = $override ?? $this->reportOnly;
+				$this->{$target}[$opt] = $explicitReporting ?? $this->reportOnly;
 			}
 		}
 		else
 		{
-			$this->{$target}[$options] = $override ?? $this->reportOnly;
+			$this->{$target}[$options] = $explicitReporting ?? $this->reportOnly;
 		}
 	}
 

tests/system/Email/EmailTest.php

@@ -0,0 +1,13 @@
+<?php namespace CodeIgniter\Email;
+
+class EmailTest extends \CIUnitTestCase
+{
+
+	public function testNewGoodChecked()
+	{
+		$path = BASEPATH . 'Common.php';
+		$file = new File($path, true);
+		$this->assertEquals($path, $file->getRealPath());
+	}
+
+}

user_guide_src/source/outgoing/response.rst

@@ -163,33 +163,51 @@ When enabled, the response object will contain an instance of ``CodeIgniter\HTTP
 values set in **application/Config/ContentSecurityPolicy.php** are applied to that instance and, if no changes are
 needed during runtime, then the correctly formatted header is sent and you're all done.
 
+With CSP enabled, two header lines are added to the HTTP response: a Content-Security-Policy header, with
+policies identifying content types or origins that are explicitly allowed for different
+contexts, and a Content-Security-Policy-Report-Only header, which identifies content types 
+or origins that will be allowed but which will also be reported to the destination
+of your choice.
+
+Our implementation provides for a default treatment, changeable through the ``reportOnly()`` method.
+When an additional entry is added to a CSP directive, as shown below, it will be added
+to the CSP header appropriate for blocking or preventing. That can be over-ridden on a per
+call basis, by providing an optional second parameter to the adding method call.
+
 Runtime Configuration
 ---------------------
 
 If your application needs to make changes at run-time, you can access the instance at ``$response->CSP``. The
-class holds a number of methods that map pretty clearly to the appropriate header value that you need to set::
-
-	$reportOnly = true;
-
-	$response->CSP->reportOnly($reportOnly);
-	$response->CSP->setDefaultSrc('cdn.example.com', $reportOnly);
+class holds a number of methods that map pretty clearly to the appropriate header value that you need to set.
+Examples are shown below, with different combinations of parameters, though all accept either a directive
+name or anarray of them.::
+
+        // specify the default directive treatment 
+	$response->CSP->reportOnly(false); 
+        
+        // specify the origin to use if none provided for a directive
+	$response->CSP->setDefaultSrc('cdn.example.com'); 
+        // specify the URL that "report-only" reports get sent to
 	$response->CSP->setReportURI('http://example.com/csp/reports');
+        // specify that HTTP requests be upgraded to HTTPS
 	$response->CSP->upgradeInsecureRequests(true);
 
-	$response->CSP->addBaseURI('example.com', true);
-	$response->CSP->addChildSrc('https://youtube.com', $reportOnly);
-	$response->CSP->addConnectSrc('https://*.facebook.com', $reportOnly);
-	$response->CSP->addFontSrc('fonts.example.com', $reportOnly);
-	$response->CSP->addFormAction('self', $reportOnly);
-	$response->CSP->addFrameAncestor('none', $reportOnly);
-	$response->CSP->addImageSrc('cdn.example.com', $reportOnly);
-	$response->CSP->addMediaSrc('cdn.example.com', $reportOnly);
-	$response->CSP->addManifestSrc('cdn.example.com', $reportOnly);
-	$response->CSP->addObjectSrc('cdn.example.com', $reportOnly);
-	$response->CSP->addPluginType('application/pdf', $reportOnly);
-	$response->CSP->addScriptSrc('scripts.example.com', $reportOnly);
-	$response->CSP->addStyleSrc('css.example.com', $reportOnly);
-	$response->CSP->addSandbox(['allow-forms', 'allow-scripts'],$reportOnly);
+        // add types or origins to CSP directives
+        // assuming that the default treatment is to block rather than just report
+	$response->CSP->addBaseURI('example.com', true); // report only
+	$response->CSP->addChildSrc('https://youtube.com'); // blocked
+	$response->CSP->addConnectSrc('https://*.facebook.com', false); // blocked
+	$response->CSP->addFontSrc('fonts.example.com');
+	$response->CSP->addFormAction('self');
+	$response->CSP->addFrameAncestor('none', true); // report this one
+	$response->CSP->addImageSrc('cdn.example.com');
+	$response->CSP->addMediaSrc('cdn.example.com');
+	$response->CSP->addManifestSrc('cdn.example.com');
+	$response->CSP->addObjectSrc('cdn.example.com', false); // reject from here
+	$response->CSP->addPluginType('application/pdf', false); // reject this media type
+	$response->CSP->addScriptSrc('scripts.example.com', true); // allow but report requests from here
+	$response->CSP->addStyleSrc('css.example.com');
+	$response->CSP->addSandbox(['allow-forms', 'allow-scripts']);
 
 
 The first parameter to each of the "add" methods is an appropriate string value,