Closed Firesphere closed 1 year ago
I agree. The currently merged PR does urlencode
which is also resulting in an inappropriate/unusable report-uri. I do think the new lines should be replaced.
My solution for now is:
$builder = new class($defaultPolicies) extends CSPBuilder {
protected function enc(string $piece, string $type = 'default'): string
{
if ($type === 'url' || \str_starts_with($piece, 'https://') || \str_starts_with($piece, 'http://')) {
return str_replace(
["\r", "\n"],
['%0D', '%0A'],
$piece
);
}
return parent::enc($piece, $type);
}
};
The report-uri should, as report-to, be unencoded.
If any encoding happens on those URLs, the endpoint is parsed as
current.website/{encoded-report-endpoint}