Skip to content
This repository was archived by the owner on Jan 30, 2020. It is now read-only.

ContentSecurityPolicy headers overwrite each other #159

Closed
2 tasks done
markushausammann opened this issue Oct 21, 2018 · 6 comments · Fixed by #190
Closed
2 tasks done

ContentSecurityPolicy headers overwrite each other #159

markushausammann opened this issue Oct 21, 2018 · 6 comments · Fixed by #190
Labels
bug
Milestone
2.10.1

Comments

@markushausammann
Copy link

  • I was not able to find an open or closed issue matching what I'm seeing.
  • This is not a question. (Questions should be asked on chat (Signup here) or our forums.)

It's often not allowed or recommended to have several headers with the same name. But there are situations where it is allowed or even necessary. The CSP is one of these.

https://w3c.github.io/webappsec-csp/#multiple-policies

and

https://www.w3.org/TR/CSP2/#content-security-policy-header-field

Imagine a case where a main application creates a CSP and different modules also independently add their own CSPs. The framework MUST render them all separately OR do a preemptive union merge which is what the client would otherwise do. It will (hopefully) quickly become standard practice that modules provide their own CSPs.

Code to reproduce the issue

$headers = $controller->getResponse()->getHeaders();
$headers->addHeader(new ContentSecurityPolicy($someDirectives));
$headers->addHeader(new ContentSecurityPolicy($someOtherDirectives));

Expected results

The expected result is a response with two CSP headers (OR a union merged CSP).

Actual results

The second addition overwrites the first, the response only contains that one CSP.
@markushausammann
Copy link
Author

PS: It's not enough to have ContentSecurityPolicy implement MultipleHeaderInterface I think. The framework also needs to make sure to check for existing policies and append them automatically.

@markushausammann
Copy link
Author

Also I'm trying to understand the MultipleHeaderInterface and I've tried to add such a multi header string via addHeaderLine but that makes Headers throw an exception on line 192: A field name was provided without a field value.

:-o

@markushausammann
Copy link
Author

Am I even in the right repository? Seems this one hasn't really been touched for quite some time.

@Ocramius
Copy link
Member

Yeah, the repo is correct, but unless someone picks up a failing test case + patch, it's not gonna be solved. If you can manage to create a failing test, that already simplifies things enormously.

@markushausammann
Copy link
Author

Ok, I'll try to find time for something... not that I'm the right person to do that.

@Ocramius
Copy link
Member

Yes you are: you know exactly what the bug looks like 👍

@michalbundyra michalbundyra added this to the 2.10.1 milestone Sep 28, 2019
@michalbundyra michalbundyra mentioned this issue Sep 28, 2019
Merged
7 tasks
michalbundyra added a commit that referenced this issue Nov 29, 2019
@michalbundyra
Merge branch 'hotfix/190'
b9dc827 
Close #190
Fix #159
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
2.10.1
Development

Successfully merging a pull request may close this issue.

Content-Security-Policy implements MultipleHeaderInterface
3 participants
@Ocramius @markushausammann @michalbundyra