Ignore CSP violations from browser userscripts (source-file: user-script)

Add 'user-script' to ignored source files in CspReportController to filter out false positive CSP violations triggered by browser extensions/userscripts. Add corresponding test case. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 11:33:09 +02:00
parent 622e1894ae
commit 97ef920514
2 changed files with 21 additions and 1 deletions
--- a/src/Controller/CspReportController.php
+++ b/src/Controller/CspReportController.php
@@ -58,7 +58,8 @@ class CspReportController extends AbstractController
            || str_contains($sourceFile, 'localhost')
            || 'wasm-eval' === $blockedUri
            || 'inline' === $blockedUri && str_contains($sourceFile, 'node_modules')
-            || 'about:blank' === $blockedUri;
+            || 'about:blank' === $blockedUri
+            || 'user-script' === $sourceFile;
    }

    /**
--- a/tests/Controller/CspReportControllerTest.php
+++ b/tests/Controller/CspReportControllerTest.php
@@ -36,6 +36,25 @@ class CspReportControllerTest extends WebTestCase
        self::assertResponseStatusCodeSame(204);
    }

+    public function testUserScriptViolationIsIgnored(): void
+    {
+        $client = static::createClient();
+        $payload = json_encode([
+            'csp-report' => [
+                'source-file' => 'user-script',
+                'blocked-uri' => 'eval',
+                'document-uri' => 'https://e-cosplay.fr/page',
+                'violated-directive' => 'script-src',
+            ],
+        ]);
+
+        $client->request('POST', '/my-csp-report', [], [], [
+            'CONTENT_TYPE' => 'application/json',
+        ], $payload);
+
+        self::assertResponseStatusCodeSame(204);
+    }
+
    public function testRealViolationIsProcessed(): void
    {
        $client = static::createClient();