Closed strider72 closed 6 years ago
<?php
/* snip */
$cspBuilder->setDirective('strict-dynamic', true);
I tried that. Didn't work!
Pretty sure you need to add something like:
->setStrictDynamic( 'style-src', true );
This URL has a really good example of how it works: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic
To clarify: You're using strict-dynamic incorrectly. It's not it's own thing -- it's a directive, much like 'self' or 'none', that works within script-src (and maybe style-src?). So you send a header like...
script-src: 'self' nonce-123456789 'strict-dynamic';
there is no way to add it programatically as far as I understand. However it is used correctly as described in your latest post.
here's a little workaround
$csp = new CSPBuilder(['script-src' => ['strict-dynamic' => true]]);
How do I add a 'strict-dynamic' directive for styles/scripts? The directive is mentioned in the code, but not clear how to use it.