You are here

Home » API reference » Content-Security-Policy 8 » Csp.php » Csp

private static function Csp::ff1313937 in Content-Security-Policy 8

Firefox doesn't respect certain sources set on default-src.

If script-src or style-src are not set and fall back to default-src, Firefox doesn't apply 'strict-dynamic', nonces, or hashes if they are set.

Parameters

array $directives: An array of directives.

Return value

array The modified array of directives.

See also

https://bugzilla.mozilla.org/show_bug.cgi?id=1313937

1 call to Csp::ff1313937()
Csp::getHeaderValue in src/Csp.php
Get the header value.

File

src/Csp.php, line 562

Class

Csp
A CSP Header.

Namespace

Drupal\csp

Code

private static function ff1313937(array $directives) {
  if (empty($directives['default-src'])) {
    return $directives;
  }
  $hasBugSource = array_reduce($directives['default-src'], function ($return, $value) {
    return $return || ($value == Csp::POLICY_STRICT_DYNAMIC || preg_match("<^'(hash|nonce)->", $value));
  }, FALSE);
  if ($hasBugSource) {
    if (empty($directives['script-src'])) {
      $directives['script-src'] = $directives['default-src'];
    }
    if (empty($directives['style-src'])) {
      $directives['style-src'] = array_diff($directives['default-src'], [
        Csp::POLICY_STRICT_DYNAMIC,
      ]);
    }
  }
  return $directives;
}