search

paragonie / csp-builder

Build Content-Security-Policy headers from a JSON file (or build them programmatically)
https://paragonie.com/projects
MIT License
544 stars 39 forks source link

report-uri should not be encoded at all #64

Closed Firesphere closed 1 year ago

Firesphere commented 1 year ago

The report-uri should, as report-to, be unencoded.

If any encoding happens on those URLs, the endpoint is parsed as current.website/{encoded-report-endpoint}

frederikbosch commented 1 year ago

I agree. The currently merged PR does urlencode which is also resulting in an inappropriate/unusable report-uri. I do think the new lines should be replaced.

My solution for now is:

$builder = new class($defaultPolicies) extends CSPBuilder {
    protected function enc(string $piece, string $type = 'default'): string
    {
        if ($type === 'url' || \str_starts_with($piece, 'https://') || \str_starts_with($piece, 'http://')) {
            return str_replace(
                ["\r", "\n"],
                ['%0D', '%0A'],
                $piece
            );
        }

        return parent::enc($piece, $type);
    }
};