symfony
diff --git a/‎src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php‎
Lines changed: 5 additions & 0 deletions b/‎src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php‎
Lines changed: 8 additions & 8 deletions b/‎src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php‎
Lines changed: 8 additions & 8 deletions
@@ -108,6 +108,7 @@ private function removeCspHeaders(Response $response)
     {
         $response->headers->remove('X-Content-Security-Policy');
         $response->headers->remove('Content-Security-Policy');
+        $response->headers->remove('Content-Security-Policy-Report-Only');
     }
 
     /**
@@ -257,6 +258,10 @@ private function getCspHeaders(Response $response)
             $headers['Content-Security-Policy'] = $this->parseDirectives($response->headers->get('Content-Security-Policy'));
         }
 
+        if ($response->headers->has('Content-Security-Policy-Report-Only')) {
+            $headers['Content-Security-Policy-Report-Only'] = $this->parseDirectives($response->headers->get('Content-Security-Policy-Report-Only'));
+        }
+
         if ($response->headers->has('X-Content-Security-Policy')) {
             $headers['X-Content-Security-Policy'] = $this->parseDirectives($response->headers->get('X-Content-Security-Policy'));
         }
 
@@ -97,41 +97,41 @@ public function provideRequestAndResponsesForOnKernelResponse()
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
                 $this->createResponse(),
-                array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
+                array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
             ),
             array(
                 $nonce, array('csp_script_nonce' => $requestScriptNonce, 'csp_style_nonce' => $requestStyleNonce),
                 $this->createRequest($requestNonceHeaders),
                 $this->createResponse($responseNonceHeaders),
-                array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
+                array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
                 array('csp_script_nonce' => $requestScriptNonce, 'csp_style_nonce' => $requestStyleNonce),
                 $this->createRequest($requestNonceHeaders),
                 $this->createResponse(),
-                array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
+                array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
                 array('csp_script_nonce' => $responseScriptNonce, 'csp_style_nonce' => $responseStyleNonce),
                 $this->createRequest(),
                 $this->createResponse($responseNonceHeaders),
-                array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
+                array('Content-Security-Policy' => null, 'Content-Security-Policy-Report-Only' => null, 'X-Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
-                $this->createResponse(array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:')),
-                array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'X-Content-Security-Policy' => null),
+                $this->createResponse(array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'Content-Security-Policy-Report-Only' => 'frame-ancestors http: ; form-action: http:')),
+                array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'Content-Security-Policy-Report-Only' => 'frame-ancestors http: ; form-action: http:', 'X-Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
-                $this->createResponse(array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'')),
-                array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null),
+                $this->createResponse(array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'')),
+                array('Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,7 @@ private function removeCspHeaders(Response $response)`
`108`	`108`	`{`
`109`	`109`	`$response->headers->remove('X-Content-Security-Policy');`
`110`	`110`	`$response->headers->remove('Content-Security-Policy');`
	`111`	`+ $response->headers->remove('Content-Security-Policy-Report-Only');`
`111`	`112`	`}`
`112`	`113`
`113`	`114`	`/**`
`@@ -257,6 +258,10 @@ private function getCspHeaders(Response $response)`
`257`	`258`	`$headers['Content-Security-Policy'] = $this->parseDirectives($response->headers->get('Content-Security-Policy'));`
`258`	`259`	`}`
`259`	`260`
	`261`	`+ if ($response->headers->has('Content-Security-Policy-Report-Only')) {`
	`262`	`+ $headers['Content-Security-Policy-Report-Only'] = $this->parseDirectives($response->headers->get('Content-Security-Policy-Report-Only'));`
	`263`	`+ }`
	`264`	`+`
`260`	`265`	`if ($response->headers->has('X-Content-Security-Policy')) {`
`261`	`266`	`$headers['X-Content-Security-Policy'] = $this->parseDirectives($response->headers->get('X-Content-Security-Policy'));`
`262`	`267`	`}`