How to add strict-dynamic ?

paragonie / csp-builder

Build Content-Security-Policy headers from a JSON file (or build them programmatically)

https://paragonie.com/projects

MIT License

544 stars 39 forks source link

How to add strict-dynamic ? #33

Closed strider72 closed 6 years ago

strider72 commented 6 years ago

How do I add a 'strict-dynamic' directive for styles/scripts? The directive is mentioned in the code, but not clear how to use it.

paragonie-scott commented 6 years ago

<?php
/* snip */

$cspBuilder->setDirective('strict-dynamic', true);

strider72 commented 6 years ago

I tried that. Didn't work!

strider72 commented 6 years ago

Pretty sure you need to add something like:

->setStrictDynamic( 'style-src', true );

This URL has a really good example of how it works: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic

strider72 commented 6 years ago

To clarify: You're using strict-dynamic incorrectly. It's not it's own thing -- it's a directive, much like 'self' or 'none', that works within script-src (and maybe style-src?). So you send a header like...

script-src: 'self' nonce-123456789 'strict-dynamic';

swiffer commented 6 years ago

there is no way to add it programatically as far as I understand. However it is used correctly as described in your latest post.

here's a little workaround

$csp = new CSPBuilder(['script-src' => ['strict-dynamic' => true]]);