admin/e-ticket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ignore CSP violations from browser userscripts (source-file: user-script)

Browse Source 
Add 'user-script' to ignored source files in CspReportController to filter
out false positive CSP violations triggered by browser extensions/userscripts.
Add corresponding test case.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
2026-04-01 11:33:09 +02:00
parent 622e1894ae
commit 97ef920514
2 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/Controller/CspReportController.php
View File

@@ -58,7 +58,8 @@ class CspReportController extends AbstractController
|| str_contains($sourceFile, 'localhost') || str_contains($sourceFile, 'localhost')
|| 'wasm-eval' === $blockedUri || 'wasm-eval' === $blockedUri
|| 'inline' === $blockedUri && str_contains($sourceFile, 'node_modules') || 'inline' === $blockedUri && str_contains($sourceFile, 'node_modules')
|| 'about:blank' === $blockedUri; || 'about:blank' === $blockedUri
|| 'user-script' === $sourceFile;
} }
/** /**

19
tests/Controller/CspReportControllerTest.php
View File

@@ -36,6 +36,25 @@ class CspReportControllerTest extends WebTestCase
self::assertResponseStatusCodeSame(204); self::assertResponseStatusCodeSame(204);
} }
public function testUserScriptViolationIsIgnored(): void
{
$client = static::createClient();
$payload = json_encode([
'csp-report' => [
'source-file' => 'user-script',
'blocked-uri' => 'eval',
'document-uri' => 'https://e-cosplay.fr/page',
'violated-directive' => 'script-src',
],
]);
$client->request('POST', '/my-csp-report', [], [], [
'CONTENT_TYPE' => 'application/json',
], $payload);
self::assertResponseStatusCodeSame(204);
}
public function testRealViolationIsProcessed(): void public function testRealViolationIsProcessed(): void
{ {
$client = static::createClient(); $client = static::createClient();