Remove obsolete alternative CSP headers

Signed-off-by: Maximilian Krög <maxi_kroeg@web.de>

Author: MoonE

psalm-baseline.xml

@@ -9915,17 +9915,6 @@
       <code><![CDATA[Config::getInstance()]]></code>
       <code><![CDATA[DatabaseInterface::getInstance()]]></code>
     </DeprecatedMethod>
-    <PossiblyInvalidArgument>
-      <code><![CDATA[testGetHttpHeaders]]></code>
-      <code><![CDATA[testGetHttpHeaders]]></code>
-      <code><![CDATA[testGetHttpHeaders]]></code>
-      <code><![CDATA[testGetHttpHeaders]]></code>
-      <code><![CDATA[testGetHttpHeaders]]></code>
-      <code><![CDATA[testGetHttpHeaders]]></code>
-      <code><![CDATA[testGetHttpHeaders]]></code>
-      <code><![CDATA[testGetHttpHeaders]]></code>
-      <code><![CDATA[testGetHttpHeaders]]></code>
-    </PossiblyInvalidArgument>
   </file>
   <file src="tests/unit/Html/GeneratorTest.php">
     <DeprecatedMethod>

src/Header.php

@@ -343,7 +343,7 @@ public function getHttpHeaders(ClockInterface|null $clock = null): array
 
         $headers['Referrer-Policy'] = 'same-origin';
 
-        $headers = array_merge($headers, $this->getCspHeaders());
+        $headers['Content-Security-Policy'] = $this->getCspHeader();
 
         /**
          * Re-enable possible disabled XSS filters.
@@ -423,12 +423,8 @@ public function getPageTitle(): string
         return $this->title;
     }
 
-    /**
-     * Get all the CSP allow policy headers
-     *
-     * @return array<string, string>
-     */
-    private function getCspHeaders(): array
+    /** Get the Content-Security-Policy header */
+    private function getCspHeader(): string
     {
         $mapTileUrl = ' tile.openstreetmap.org';
         $captchaUrl = '';
@@ -444,9 +440,7 @@ private function getCspHeaders(): array
             $captchaUrl = ' ' . $this->config->config->CaptchaCsp . ' ';
         }
 
-        $headers = [];
-
-        $headers['Content-Security-Policy'] = sprintf(
+        return sprintf(
             'default-src \'self\' %s%s;script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' %s%s;'
                 . 'style-src \'self\' \'unsafe-inline\' %s%s;img-src \'self\' data: %s%s%s;object-src \'none\';',
             $captchaUrl,
@@ -459,32 +453,6 @@ private function getCspHeaders(): array
             $mapTileUrl,
             $captchaUrl,
         );
-
-        $headers['X-Content-Security-Policy'] = sprintf(
-            'default-src \'self\' %s%s;options inline-script eval-script;'
-                . 'referrer no-referrer;img-src \'self\' data: %s%s%s;object-src \'none\';',
-            $captchaUrl,
-            $cspAllow,
-            $cspAllow,
-            $mapTileUrl,
-            $captchaUrl,
-        );
-
-        $headers['X-WebKit-CSP'] = sprintf(
-            'default-src \'self\' %s%s;script-src \'self\' %s%s \'unsafe-inline\' \'unsafe-eval\';'
-                . 'referrer no-referrer;style-src \'self\' \'unsafe-inline\' %s;'
-                . 'img-src \'self\' data: %s%s%s;object-src \'none\';',
-            $captchaUrl,
-            $cspAllow,
-            $captchaUrl,
-            $cspAllow,
-            $captchaUrl,
-            $cspAllow,
-            $mapTileUrl,
-            $captchaUrl,
-        );
-
-        return $headers;
     }
 
     private function getVariablesForJavaScript(): string

tests/unit/HeaderTest.php

@@ -188,8 +188,6 @@ public function testGetHttpHeaders(
         string $captchaCsp,
         string|null $expectedFrameOptions,
         string $expectedCsp,
-        string $expectedXCsp,
-        string $expectedWebKitCsp,
     ): void {
         $header = $this->getNewHeaderInstance();
 
@@ -204,8 +202,6 @@ public function testGetHttpHeaders(
             'X-Frame-Options' => $expectedFrameOptions ?? '',
             'Referrer-Policy' => 'same-origin',
             'Content-Security-Policy' => $expectedCsp,
-            'X-Content-Security-Policy' => $expectedXCsp,
-            'X-WebKit-CSP' => $expectedWebKitCsp,
             'X-XSS-Protection' => '1; mode=block',
             'X-Content-Type-Options' => 'nosniff',
             'X-Permitted-Cross-Domain-Policies' => 'none',
@@ -224,7 +220,7 @@ public function testGetHttpHeaders(
         self::assertSame($expected, $header->getHttpHeaders(MockClock::from('2015-10-21T05:28:00-02:00')));
     }
 
-    /** @return mixed[][] */
+    /** @psalm-return list<array{string|bool, string, string, string, string, string|null, string}> */
     public static function providerForTestGetHttpHeaders(): array
     {
         return [
@@ -238,11 +234,6 @@ public static function providerForTestGetHttpHeaders(): array
                 'default-src \'self\' ;script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' ;'
                     . 'style-src \'self\' \'unsafe-inline\' ;img-src \'self\' data:  tile.openstreetmap.org;'
                     . 'object-src \'none\';',
-                'default-src \'self\' ;options inline-script eval-script;referrer no-referrer;'
-                    . 'img-src \'self\' data:  tile.openstreetmap.org;object-src \'none\';',
-                'default-src \'self\' ;script-src \'self\'  \'unsafe-inline\' \'unsafe-eval\';'
-                    . 'referrer no-referrer;style-src \'self\' \'unsafe-inline\' ;'
-                    . 'img-src \'self\' data:  tile.openstreetmap.org;object-src \'none\';',
             ],
             [
                 'sameorigin',
@@ -257,14 +248,6 @@ public static function providerForTestGetHttpHeaders(): array
                     . 'style-src \'self\' \'unsafe-inline\'  captcha.tld csp.tld example.com example.net;'
                     . 'img-src \'self\' data: example.com example.net tile.openstreetmap.org captcha.tld csp.tld ;'
                     . 'object-src \'none\';',
-                'default-src \'self\'  captcha.tld csp.tld example.com example.net;'
-                    . 'options inline-script eval-script;referrer no-referrer;img-src \'self\' data: example.com '
-                    . 'example.net tile.openstreetmap.org captcha.tld csp.tld ;object-src \'none\';',
-                'default-src \'self\'  captcha.tld csp.tld example.com example.net;script-src \'self\'  '
-                    . 'captcha.tld csp.tld example.com example.net \'unsafe-inline\' \'unsafe-eval\';'
-                    . 'referrer no-referrer;style-src \'self\' \'unsafe-inline\'  captcha.tld csp.tld ;'
-                    . 'img-src \'self\' data: example.com example.net tile.openstreetmap.org captcha.tld csp.tld ;'
-                    . 'object-src \'none\';',
             ],
             [
                 true,
@@ -277,13 +260,6 @@ public static function providerForTestGetHttpHeaders(): array
                     . 'script-src \'self\' \'unsafe-inline\' \'unsafe-eval\'  captcha.tld csp.tld ;'
                     . 'style-src \'self\' \'unsafe-inline\'  captcha.tld csp.tld ;'
                     . 'img-src \'self\' data:  tile.openstreetmap.org captcha.tld csp.tld ;object-src \'none\';',
-                'default-src \'self\'  captcha.tld csp.tld ;'
-                    . 'options inline-script eval-script;referrer no-referrer;'
-                    . 'img-src \'self\' data:  tile.openstreetmap.org captcha.tld csp.tld ;object-src \'none\';',
-                'default-src \'self\'  captcha.tld csp.tld ;'
-                    . 'script-src \'self\'  captcha.tld csp.tld  \'unsafe-inline\' \'unsafe-eval\';'
-                    . 'referrer no-referrer;style-src \'self\' \'unsafe-inline\'  captcha.tld csp.tld ;'
-                    . 'img-src \'self\' data:  tile.openstreetmap.org captcha.tld csp.tld ;object-src \'none\';',
             ],
         ];
     }