codeigniter4
diff --git a/‎system/HTTP/ContentSecurityPolicy.php‎
Lines changed: 57 additions & 51 deletions b/‎system/HTTP/ContentSecurityPolicy.php‎
Lines changed: 57 additions & 51 deletions
@@ -1,4 +1,5 @@
-<?php namespace CodeIgniter\HTTP;
+<?php
+namespace CodeIgniter\HTTP;
 
 /**
  * CodeIgniter
@@ -280,14 +281,14 @@ public function reportOnly(bool $value = true)
 	 *
 	 * @see http://www.w3.org/TR/CSP/#directive-base-uri
 	 *
-	 * @param string  $uri
-	 * @param boolean $reportOnly
+	 * @param string       $uri
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function setBaseURI($uri, bool $reportOnly)
+	public function setBaseURI($uri, ?bool $override = null)
 	{
-		$this->baseURI = [(string) $uri => $reportOnly];
+		$this->baseURI = [(string) $uri => $override ?? $this->reportOnly];
 
 		return $this;
 	}
@@ -305,13 +306,13 @@ public function setBaseURI($uri, bool $reportOnly)
 	 * @see http://www.w3.org/TR/CSP/#directive-child-src
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addChildSrc($uri, bool $reportOnly = false)
+	public function addChildSrc($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'childSrc', $reportOnly);
+		$this->addOption($uri, 'childSrc', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -328,13 +329,13 @@ public function addChildSrc($uri, bool $reportOnly = false)
 	 * @see http://www.w3.org/TR/CSP/#directive-connect-src
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addConnectSrc($uri, bool $reportOnly = false)
+	public function addConnectSrc($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'connectSrc', $reportOnly);
+		$this->addOption($uri, 'connectSrc', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -351,13 +352,13 @@ public function addConnectSrc($uri, bool $reportOnly = false)
 	 * @see http://www.w3.org/TR/CSP/#directive-default-src
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function setDefaultSrc($uri, bool $reportOnly = false)
+	public function setDefaultSrc($uri, ?bool $override = null)
 	{
-		$this->defaultSrc = [(string) $uri => $reportOnly];
+		$this->defaultSrc = [(string) $uri => $override ?? $this->reportOnly];
 
 		return $this;
 	}
@@ -373,13 +374,13 @@ public function setDefaultSrc($uri, bool $reportOnly = false)
 	 * @see http://www.w3.org/TR/CSP/#directive-font-src
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addFontSrc($uri, bool $reportOnly = false)
+	public function addFontSrc($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'fontSrc', $reportOnly);
+		$this->addOption($uri, 'fontSrc', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -393,13 +394,13 @@ public function addFontSrc($uri, bool $reportOnly = false)
 	 * @see http://www.w3.org/TR/CSP/#directive-form-action
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addFormAction($uri, bool $reportOnly = false)
+	public function addFormAction($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'formAction', $reportOnly);
+		$this->addOption($uri, 'formAction', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -413,13 +414,13 @@ public function addFormAction($uri, bool $reportOnly = false)
 	 * @see http://www.w3.org/TR/CSP/#directive-frame-ancestors
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addFrameAncestor($uri, bool $reportOnly = false)
+	public function addFrameAncestor($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'frameAncestors', $reportOnly);
+		$this->addOption($uri, 'frameAncestors', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -433,13 +434,13 @@ public function addFrameAncestor($uri, bool $reportOnly = false)
 	 * @see http://www.w3.org/TR/CSP/#directive-img-src
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addImageSrc($uri, bool $reportOnly = false)
+	public function addImageSrc($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'imageSrc', $reportOnly);
+		$this->addOption($uri, 'imageSrc', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -453,13 +454,13 @@ public function addImageSrc($uri, bool $reportOnly = false)
 	 * @see http://www.w3.org/TR/CSP/#directive-media-src
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addMediaSrc($uri, bool $reportOnly = false)
+	public function addMediaSrc($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'mediaSrc', $reportOnly);
+		$this->addOption($uri, 'mediaSrc', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -473,13 +474,13 @@ public function addMediaSrc($uri, bool $reportOnly = false)
 	 * @see https://www.w3.org/TR/CSP/#directive-manifest-src
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addManifestSrc($uri, bool $reportOnly = false)
+	public function addManifestSrc($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'manifestSrc', $reportOnly);
+		$this->addOption($uri, 'manifestSrc', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -493,13 +494,13 @@ public function addManifestSrc($uri, bool $reportOnly = false)
 	 * @see http://www.w3.org/TR/CSP/#directive-object-src
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addObjectSrc($uri, bool $reportOnly = false)
+	public function addObjectSrc($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'objectSrc', $reportOnly);
+		$this->addOption($uri, 'objectSrc', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -512,14 +513,14 @@ public function addObjectSrc($uri, bool $reportOnly = false)
 	 *
 	 * @see http://www.w3.org/TR/CSP/#directive-plugin-types
 	 *
-	 * @param string  $mime       One or more plugin mime types, separate by spaces
-	 * @param boolean $reportOnly
+	 * @param string       $mime     One or more plugin mime types, separate by spaces
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addPluginType($mime, bool $reportOnly = false)
+	public function addPluginType($mime, ?bool $override = null)
 	{
-		$this->addOption($mime, 'pluginTypes', $reportOnly);
+		$this->addOption($mime, 'pluginTypes', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -566,7 +567,6 @@ public function setSandbox(bool $value = true, array $flags = null)
 		{
 			$this->sandbox = $flags;
 		}
-
 		return $this;
 	}
 
@@ -579,13 +579,13 @@ public function setSandbox(bool $value = true, array $flags = null)
 	 * @see http://www.w3.org/TR/CSP/#directive-connect-src
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addScriptSrc($uri, bool $reportOnly = false)
+	public function addScriptSrc($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'scriptSrc', $reportOnly);
+		$this->addOption($uri, 'scriptSrc', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -599,13 +599,13 @@ public function addScriptSrc($uri, bool $reportOnly = false)
 	 * @see http://www.w3.org/TR/CSP/#directive-connect-src
 	 *
 	 * @param $uri
-	 * @param boolean $reportOnly
+	 * @param boolean|null $override
 	 *
 	 * @return $this
 	 */
-	public function addStyleSrc($uri, bool $reportOnly = false)
+	public function addStyleSrc($uri, ?bool $override = null)
 	{
-		$this->addOption($uri, 'styleSrc', $reportOnly);
+		$this->addOption($uri, 'styleSrc', $override ?? $this->reportOnly);
 
 		return $this;
 	}
@@ -636,10 +636,10 @@ public function upgradeInsecureRequests(bool $value = true)
 	 * DRY method to add an string or array to a class property.
 	 *
 	 * @param $options
-	 * @param string  $target
-	 * @param boolean $reportOnly If TRUE, this item will be reported, not restricted
+	 * @param string       $target
+	 * @param boolean|null $override
 	 */
-	protected function addOption($options, string $target, bool $reportOnly = false)
+	protected function addOption($options, string $target, ?bool $override = null)
 	{
 		// Ensure we have an array to work with...
 		if (is_string($this->{$target}))
@@ -652,15 +652,15 @@ protected function addOption($options, string $target, bool $reportOnly = false)
 			$newOptions = [];
 			foreach ($options as $opt)
 			{
-				$newOptions[] = [$opt => $reportOnly];
+				$newOptions[] = [$opt => $override ?? $this->reportOnly];
 			}
 
 			$this->{$target} = array_merge($this->{$target}, $newOptions);
 			unset($newOptions);
 		}
 		else
 		{
-			$this->{$target}[$options] = $reportOnly;
+			$this->{$target}[$options] = $override ?? $this->reportOnly;
 		}
 	}
 
@@ -769,6 +769,12 @@ protected function buildHeaders(ResponseInterface &$response)
 			{
 				$header .= " {$name} {$value};";
 			}
+			// add token only if needed
+			if ($this->upgradeInsecureRequests)
+			{
+				$header .= ' upgrade-insecure-requests;';
+			}
+
 			$response->appendHeader('Content-Security-Policy', $header);
 		}
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`		`-<?php namespace CodeIgniter\HTTP;`
	`1`	`+<?php`
	`2`	`+namespace CodeIgniter\HTTP;`
`2`	`3`
`3`	`4`	`/**`
`4`	`5`	`* CodeIgniter`
`@@ -280,14 +281,14 @@ public function reportOnly(bool $value = true)`
`280`	`281`	`*`
`281`	`282`	`* @see http://www.w3.org/TR/CSP/#directive-base-uri`
`282`	`283`	`*`
`283`		`- * @param string $uri`
`284`		`- * @param boolean $reportOnly`
	`284`	`+ * @param string $uri`
	`285`	`+ * @param boolean\|null $override`
`285`	`286`	`*`
`286`	`287`	`* @return $this`
`287`	`288`	`*/`
`288`		`- public function setBaseURI($uri, bool $reportOnly)`
	`289`	`+ public function setBaseURI($uri, ?bool $override = null)`
`289`	`290`	`{`
`290`		`- $this->baseURI = [(string) $uri => $reportOnly];`
	`291`	`+ $this->baseURI = [(string) $uri => $override ?? $this->reportOnly];`
`291`	`292`
`292`	`293`	`return $this;`
`293`	`294`	`}`
`@@ -305,13 +306,13 @@ public function setBaseURI($uri, bool $reportOnly)`
`305`	`306`	`* @see http://www.w3.org/TR/CSP/#directive-child-src`
`306`	`307`	`*`
`307`	`308`	`* @param $uri`
`308`		`- * @param boolean $reportOnly`
	`309`	`+ * @param boolean\|null $override`
`309`	`310`	`*`
`310`	`311`	`* @return $this`
`311`	`312`	`*/`
`312`		`- public function addChildSrc($uri, bool $reportOnly = false)`
	`313`	`+ public function addChildSrc($uri, ?bool $override = null)`
`313`	`314`	`{`
`314`		`- $this->addOption($uri, 'childSrc', $reportOnly);`
	`315`	`+ $this->addOption($uri, 'childSrc', $override ?? $this->reportOnly);`
`315`	`316`
`316`	`317`	`return $this;`
`317`	`318`	`}`
`@@ -328,13 +329,13 @@ public function addChildSrc($uri, bool $reportOnly = false)`
`328`	`329`	`* @see http://www.w3.org/TR/CSP/#directive-connect-src`
`329`	`330`	`*`
`330`	`331`	`* @param $uri`
`331`		`- * @param boolean $reportOnly`
	`332`	`+ * @param boolean\|null $override`
`332`	`333`	`*`
`333`	`334`	`* @return $this`
`334`	`335`	`*/`
`335`		`- public function addConnectSrc($uri, bool $reportOnly = false)`
	`336`	`+ public function addConnectSrc($uri, ?bool $override = null)`
`336`	`337`	`{`
`337`		`- $this->addOption($uri, 'connectSrc', $reportOnly);`
	`338`	`+ $this->addOption($uri, 'connectSrc', $override ?? $this->reportOnly);`
`338`	`339`
`339`	`340`	`return $this;`
`340`	`341`	`}`
`@@ -351,13 +352,13 @@ public function addConnectSrc($uri, bool $reportOnly = false)`
`351`	`352`	`* @see http://www.w3.org/TR/CSP/#directive-default-src`
`352`	`353`	`*`
`353`	`354`	`* @param $uri`
`354`		`- * @param boolean $reportOnly`
	`355`	`+ * @param boolean\|null $override`
`355`	`356`	`*`
`356`	`357`	`* @return $this`
`357`	`358`	`*/`
`358`		`- public function setDefaultSrc($uri, bool $reportOnly = false)`
	`359`	`+ public function setDefaultSrc($uri, ?bool $override = null)`
`359`	`360`	`{`
`360`		`- $this->defaultSrc = [(string) $uri => $reportOnly];`
	`361`	`+ $this->defaultSrc = [(string) $uri => $override ?? $this->reportOnly];`
`361`	`362`
`362`	`363`	`return $this;`
`363`	`364`	`}`
`@@ -373,13 +374,13 @@ public function setDefaultSrc($uri, bool $reportOnly = false)`
`373`	`374`	`* @see http://www.w3.org/TR/CSP/#directive-font-src`
`374`	`375`	`*`
`375`	`376`	`* @param $uri`
`376`		`- * @param boolean $reportOnly`
	`377`	`+ * @param boolean\|null $override`
`377`	`378`	`*`
`378`	`379`	`* @return $this`
`379`	`380`	`*/`
`380`		`- public function addFontSrc($uri, bool $reportOnly = false)`
	`381`	`+ public function addFontSrc($uri, ?bool $override = null)`
`381`	`382`	`{`
`382`		`- $this->addOption($uri, 'fontSrc', $reportOnly);`
	`383`	`+ $this->addOption($uri, 'fontSrc', $override ?? $this->reportOnly);`
`383`	`384`
`384`	`385`	`return $this;`
`385`	`386`	`}`
`@@ -393,13 +394,13 @@ public function addFontSrc($uri, bool $reportOnly = false)`
`393`	`394`	`* @see http://www.w3.org/TR/CSP/#directive-form-action`
`394`	`395`	`*`
`395`	`396`	`* @param $uri`
`396`		`- * @param boolean $reportOnly`
	`397`	`+ * @param boolean\|null $override`
`397`	`398`	`*`
`398`	`399`	`* @return $this`
`399`	`400`	`*/`
`400`		`- public function addFormAction($uri, bool $reportOnly = false)`
	`401`	`+ public function addFormAction($uri, ?bool $override = null)`
`401`	`402`	`{`
`402`		`- $this->addOption($uri, 'formAction', $reportOnly);`
	`403`	`+ $this->addOption($uri, 'formAction', $override ?? $this->reportOnly);`
`403`	`404`
`404`	`405`	`return $this;`
`405`	`406`	`}`
`@@ -413,13 +414,13 @@ public function addFormAction($uri, bool $reportOnly = false)`
`413`	`414`	`* @see http://www.w3.org/TR/CSP/#directive-frame-ancestors`
`414`	`415`	`*`
`415`	`416`	`* @param $uri`
`416`		`- * @param boolean $reportOnly`
	`417`	`+ * @param boolean\|null $override`
`417`	`418`	`*`
`418`	`419`	`* @return $this`
`419`	`420`	`*/`
`420`		`- public function addFrameAncestor($uri, bool $reportOnly = false)`
	`421`	`+ public function addFrameAncestor($uri, ?bool $override = null)`
`421`	`422`	`{`
`422`		`- $this->addOption($uri, 'frameAncestors', $reportOnly);`
	`423`	`+ $this->addOption($uri, 'frameAncestors', $override ?? $this->reportOnly);`
`423`	`424`
`424`	`425`	`return $this;`
`425`	`426`	`}`
`@@ -433,13 +434,13 @@ public function addFrameAncestor($uri, bool $reportOnly = false)`
`433`	`434`	`* @see http://www.w3.org/TR/CSP/#directive-img-src`
`434`	`435`	`*`
`435`	`436`	`* @param $uri`
`436`		`- * @param boolean $reportOnly`
	`437`	`+ * @param boolean\|null $override`
`437`	`438`	`*`
`438`	`439`	`* @return $this`
`439`	`440`	`*/`
`440`		`- public function addImageSrc($uri, bool $reportOnly = false)`
	`441`	`+ public function addImageSrc($uri, ?bool $override = null)`
`441`	`442`	`{`
`442`		`- $this->addOption($uri, 'imageSrc', $reportOnly);`
	`443`	`+ $this->addOption($uri, 'imageSrc', $override ?? $this->reportOnly);`
`443`	`444`
`444`	`445`	`return $this;`
`445`	`446`	`}`
`@@ -453,13 +454,13 @@ public function addImageSrc($uri, bool $reportOnly = false)`
`453`	`454`	`* @see http://www.w3.org/TR/CSP/#directive-media-src`
`454`	`455`	`*`
`455`	`456`	`* @param $uri`
`456`		`- * @param boolean $reportOnly`
	`457`	`+ * @param boolean\|null $override`
`457`	`458`	`*`
`458`	`459`	`* @return $this`
`459`	`460`	`*/`
`460`		`- public function addMediaSrc($uri, bool $reportOnly = false)`
	`461`	`+ public function addMediaSrc($uri, ?bool $override = null)`
`461`	`462`	`{`
`462`		`- $this->addOption($uri, 'mediaSrc', $reportOnly);`
	`463`	`+ $this->addOption($uri, 'mediaSrc', $override ?? $this->reportOnly);`
`463`	`464`
`464`	`465`	`return $this;`
`465`	`466`	`}`
`@@ -473,13 +474,13 @@ public function addMediaSrc($uri, bool $reportOnly = false)`
`473`	`474`	`* @see https://www.w3.org/TR/CSP/#directive-manifest-src`
`474`	`475`	`*`
`475`	`476`	`* @param $uri`
`476`		`- * @param boolean $reportOnly`
	`477`	`+ * @param boolean\|null $override`
`477`	`478`	`*`
`478`	`479`	`* @return $this`
`479`	`480`	`*/`
`480`		`- public function addManifestSrc($uri, bool $reportOnly = false)`
	`481`	`+ public function addManifestSrc($uri, ?bool $override = null)`
`481`	`482`	`{`
`482`		`- $this->addOption($uri, 'manifestSrc', $reportOnly);`
	`483`	`+ $this->addOption($uri, 'manifestSrc', $override ?? $this->reportOnly);`
`483`	`484`
`484`	`485`	`return $this;`
`485`	`486`	`}`
`@@ -493,13 +494,13 @@ public function addManifestSrc($uri, bool $reportOnly = false)`
`493`	`494`	`* @see http://www.w3.org/TR/CSP/#directive-object-src`
`494`	`495`	`*`
`495`	`496`	`* @param $uri`
`496`		`- * @param boolean $reportOnly`
	`497`	`+ * @param boolean\|null $override`
`497`	`498`	`*`
`498`	`499`	`* @return $this`
`499`	`500`	`*/`
`500`		`- public function addObjectSrc($uri, bool $reportOnly = false)`
	`501`	`+ public function addObjectSrc($uri, ?bool $override = null)`
`501`	`502`	`{`
`502`		`- $this->addOption($uri, 'objectSrc', $reportOnly);`
	`503`	`+ $this->addOption($uri, 'objectSrc', $override ?? $this->reportOnly);`
`503`	`504`
`504`	`505`	`return $this;`
`505`	`506`	`}`
`@@ -512,14 +513,14 @@ public function addObjectSrc($uri, bool $reportOnly = false)`
`512`	`513`	`*`
`513`	`514`	`* @see http://www.w3.org/TR/CSP/#directive-plugin-types`
`514`	`515`	`*`
`515`		`- * @param string $mime One or more plugin mime types, separate by spaces`
`516`		`- * @param boolean $reportOnly`
	`516`	`+ * @param string $mime One or more plugin mime types, separate by spaces`
	`517`	`+ * @param boolean\|null $override`
`517`	`518`	`*`
`518`	`519`	`* @return $this`
`519`	`520`	`*/`
`520`		`- public function addPluginType($mime, bool $reportOnly = false)`
	`521`	`+ public function addPluginType($mime, ?bool $override = null)`
`521`	`522`	`{`
`522`		`- $this->addOption($mime, 'pluginTypes', $reportOnly);`
	`523`	`+ $this->addOption($mime, 'pluginTypes', $override ?? $this->reportOnly);`
`523`	`524`
`524`	`525`	`return $this;`
`525`	`526`	`}`
`@@ -566,7 +567,6 @@ public function setSandbox(bool $value = true, array $flags = null)`
`566`	`567`	`{`
`567`	`568`	`$this->sandbox = $flags;`
`568`	`569`	`}`
`569`		`-`
`570`	`570`	`return $this;`
`571`	`571`	`}`
`572`	`572`
`@@ -579,13 +579,13 @@ public function setSandbox(bool $value = true, array $flags = null)`
`579`	`579`	`* @see http://www.w3.org/TR/CSP/#directive-connect-src`
`580`	`580`	`*`
`581`	`581`	`* @param $uri`
`582`		`- * @param boolean $reportOnly`
	`582`	`+ * @param boolean\|null $override`
`583`	`583`	`*`
`584`	`584`	`* @return $this`
`585`	`585`	`*/`
`586`		`- public function addScriptSrc($uri, bool $reportOnly = false)`
	`586`	`+ public function addScriptSrc($uri, ?bool $override = null)`
`587`	`587`	`{`
`588`		`- $this->addOption($uri, 'scriptSrc', $reportOnly);`
	`588`	`+ $this->addOption($uri, 'scriptSrc', $override ?? $this->reportOnly);`
`589`	`589`
`590`	`590`	`return $this;`
`591`	`591`	`}`
`@@ -599,13 +599,13 @@ public function addScriptSrc($uri, bool $reportOnly = false)`
`599`	`599`	`* @see http://www.w3.org/TR/CSP/#directive-connect-src`
`600`	`600`	`*`
`601`	`601`	`* @param $uri`
`602`		`- * @param boolean $reportOnly`
	`602`	`+ * @param boolean\|null $override`
`603`	`603`	`*`
`604`	`604`	`* @return $this`
`605`	`605`	`*/`
`606`		`- public function addStyleSrc($uri, bool $reportOnly = false)`
	`606`	`+ public function addStyleSrc($uri, ?bool $override = null)`
`607`	`607`	`{`
`608`		`- $this->addOption($uri, 'styleSrc', $reportOnly);`
	`608`	`+ $this->addOption($uri, 'styleSrc', $override ?? $this->reportOnly);`
`609`	`609`
`610`	`610`	`return $this;`
`611`	`611`	`}`
`@@ -636,10 +636,10 @@ public function upgradeInsecureRequests(bool $value = true)`
`636`	`636`	`* DRY method to add an string or array to a class property.`
`637`	`637`	`*`
`638`	`638`	`* @param $options`
`639`		`- * @param string $target`
`640`		`- * @param boolean $reportOnly If TRUE, this item will be reported, not restricted`
	`639`	`+ * @param string $target`
	`640`	`+ * @param boolean\|null $override`
`641`	`641`	`*/`
`642`		`- protected function addOption($options, string $target, bool $reportOnly = false)`
	`642`	`+ protected function addOption($options, string $target, ?bool $override = null)`
`643`	`643`	`{`
`644`	`644`	`// Ensure we have an array to work with...`
`645`	`645`	`if (is_string($this->{$target}))`
`@@ -652,15 +652,15 @@ protected function addOption($options, string $target, bool $reportOnly = false)`
`652`	`652`	`$newOptions = [];`
`653`	`653`	`foreach ($options as $opt)`
`654`	`654`	`{`
`655`		`- $newOptions[] = [$opt => $reportOnly];`
	`655`	`+ $newOptions[] = [$opt => $override ?? $this->reportOnly];`
`656`	`656`	`}`
`657`	`657`
`658`	`658`	`$this->{$target} = array_merge($this->{$target}, $newOptions);`
`659`	`659`	`unset($newOptions);`
`660`	`660`	`}`
`661`	`661`	`else`
`662`	`662`	`{`
`663`		`- $this->{$target}[$options] = $reportOnly;`
	`663`	`+ $this->{$target}[$options] = $override ?? $this->reportOnly;`
`664`	`664`	`}`
`665`	`665`	`}`
`666`	`666`
`@@ -769,6 +769,12 @@ protected function buildHeaders(ResponseInterface &$response)`
`769`	`769`	`{`
`770`	`770`	`$header .= " {$name} {$value};";`
`771`	`771`	`}`
	`772`	`+ // add token only if needed`
	`773`	`+ if ($this->upgradeInsecureRequests)`
	`774`	`+ {`
	`775`	`+ $header .= ' upgrade-insecure-requests;';`
	`776`	`+ }`
	`777`	`+`
`772`	`778`	`$response->appendHeader('Content-Security-Policy', $header);`
`773`	`779`	`}`
`774`	`780`