Merge pull request #68 from fritzmg/allow-unsafed-hash-parameters

Allow 'unsafe-hashed-attributes' to be set
paragonie · Mar 26, 2023 · acdda0e · acdda0e
2 parents f6367bf + db6b4f1
commit acdda0e
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/src/CSPBuilder.php b/src/CSPBuilder.php
@@ -613,6 +613,23 @@ public function setAllowUnsafeInline(string $directive = '', bool $allow = false
         return $this;
     }
 
+    /**
+     * Allow/disallow unsafe-hashed-attributes within a given directive.
+     *
+     * @param string $directive
+     * @param bool $allow
+     * @return self
+     * @throws Exception
+     */
+    public function setAllowUnsafeHashedAttributes(string $directive = '', bool $allow = false): self
+    {
+        if (!in_array($directive, self::$directives)) {
+            throw new Exception('Directive ' . $directive . ' does not exist');
+        }
+        $this->policies[$directive]['unsafe-hashed-attributes'] = $allow;
+        return $this;
+    }
+
     /**
      * Allow/disallow blob: URIs for a given directive
      *

diff --git a/test/BasicTest.php b/test/BasicTest.php
@@ -334,6 +334,19 @@ public function testSaveSnippetWithoutHookBeforeSave()
         );
     }
 
+    /**
+     * @covers CSPBuilder::setAllowUnsafeEval()
+     * @throws \Exception
+     */
+    public function testAllowUnsafeHashedAttributes()
+    {
+        $csp = new CSPBuilder();
+        $csp->setAllowUnsafeHashedAttributes('script-src', true);
+        $compiled = $csp->compile();
+
+        $this->assertStringContainsString("'unsafe-hashed-attributes'", $compiled);
+     }
+
     /**
      * @covers CSPBuilder::allowPluginType()
      * @throws \Exception