From 04832815ce99e6bcc4b5dd901cdd3ff5a5cd1850 Mon Sep 17 00:00:00 2001
From: "John Paul E. Balandan, CPA" <paulbalandan@gmail.com>
Date: Sun, 1 Feb 2026 20:37:13 +0800
Subject: [PATCH] feat: add support for more CSP3 directives

---
 app/Config/ContentSecurityPolicy.php          | 30 +++++-
 system/HTTP/ContentSecurityPolicy.php         | 97 ++++++++++++++++++-
 .../system/HTTP/ContentSecurityPolicyTest.php | 63 ++++++++++++
 user_guide_src/source/changelogs/v4.7.0.rst   |  6 +-
 user_guide_src/source/outgoing/csp/012.php    |  7 ++
 5 files changed, 197 insertions(+), 6 deletions(-)

diff --git a/app/Config/ContentSecurityPolicy.php b/app/Config/ContentSecurityPolicy.php
index 95022eb7ee43..9180d11c79d9 100644
--- a/app/Config/ContentSecurityPolicy.php
+++ b/app/Config/ContentSecurityPolicy.php
@@ -61,7 +61,15 @@ class ContentSecurityPolicy extends BaseConfig
      *
      * @var list<string>|string
      */
-    public $scriptSrcElem = 'self';
+    public array|string $scriptSrcElem = 'self';
+
+    /**
+     * Specifies valid sources for JavaScript inline event
+     * handlers and JavaScript URLs.
+     *
+     * @var list<string>|string
+     */
+    public array|string $scriptSrcAttr = 'self';
 
     /**
      * Lists allowed stylesheets' URLs.
@@ -70,6 +78,21 @@ class ContentSecurityPolicy extends BaseConfig
      */
     public $styleSrc = 'self';
 
+    /**
+     * Specifies valid sources for stylesheets <link> elements.
+     *
+     * @var list<string>|string
+     */
+    public array|string $styleSrcElem = 'self';
+
+    /**
+     * Specifies valid sources for stylesheets inline
+     * style attributes and `<style>` elements.
+     *
+     * @var list<string>|string
+     */
+    public array|string $styleSrcAttr = 'self';
+
     /**
      * Defines the origins from which images can be loaded.
      *
@@ -152,6 +175,11 @@ class ContentSecurityPolicy extends BaseConfig
      */
     public $manifestSrc;
 
+    /**
+     * @var list<string>|string
+     */
+    public array|string $workerSrc = [];
+
     /**
      * Limits the kinds of plugins a page may invoke.
      *
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index 967166137cca..f2e421a758b1 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -46,6 +46,10 @@ class ContentSecurityPolicy
         'sandbox'         => 'sandbox',
         'manifest-src'    => 'manifestSrc',
         'script-src-elem' => 'scriptSrcElem',
+        'script-src-attr' => 'scriptSrcAttr',
+        'style-src-elem'  => 'styleSrcElem',
+        'style-src-attr'  => 'styleSrcAttr',
+        'worker-src'      => 'workerSrc',
     ];
 
     /**
@@ -191,7 +195,38 @@ class ContentSecurityPolicy
      *
      * @var array<string, bool>|string
      */
-    protected $scriptSrcElem = [];
+    protected array|string $scriptSrcElem = [];
+
+    /**
+     * The `script-src-attr` directive applies to event handlers and, if present,
+     * it will override the `script-src` directive for relevant checks.
+     *
+     * @var array<string, bool>|string
+     */
+    protected array|string $scriptSrcAttr = [];
+
+    /**
+     * The `style-src-elem` directive governs the behaviour of styles except
+     * for styles defined in inline attributes.
+     *
+     * @var array<string, bool>|string
+     */
+    protected array|string $styleSrcElem = [];
+
+    /**
+     * The `style-src-attr` directive governs the behaviour of style attributes.
+     *
+     * @var array<string, bool>|string
+     */
+    protected array|string $styleSrcAttr = [];
+
+    /**
+     * The `worker-src` directive restricts the URLs which may be loaded as a `Worker`,
+     * `SharedWorker`, or `ServiceWorker`.
+     *
+     * @var array<string, bool>|string
+     */
+    protected array|string $workerSrc = [];
 
     /**
      * Instructs user agents to rewrite URL schemes by changing HTTP to HTTPS.
@@ -678,16 +713,28 @@ public function addScriptSrc($uri, ?bool $explicitReporting = null)
      * @see https://www.w3.org/TR/CSP/#directive-script-src-elem
      *
      * @param list<string>|string $uri
-     *
-     * @return $this
      */
-    public function addScriptSrcElem($uri, ?bool $explicitReporting = null)
+    public function addScriptSrcElem(array|string $uri, ?bool $explicitReporting = null): static
     {
         $this->addOption($uri, 'scriptSrcElem', $explicitReporting ?? $this->reportOnly);
 
         return $this;
     }
 
+    /**
+     * Adds a new value to the `script-src-attr` directive.
+     *
+     * @see https://www.w3.org/TR/CSP/#directive-script-src-attr
+     *
+     * @param list<string>|string $uri
+     */
+    public function addScriptSrcAttr(array|string $uri, ?bool $explicitReporting = null): static
+    {
+        $this->addOption($uri, 'scriptSrcAttr', $explicitReporting ?? $this->reportOnly);
+
+        return $this;
+    }
+
     /**
      * Adds a new value to the `style-src` directive.
      *
@@ -704,6 +751,48 @@ public function addStyleSrc($uri, ?bool $explicitReporting = null)
         return $this;
     }
 
+    /**
+     * Adds a new value to the `style-src-elem` directive.
+     *
+     * @see https://www.w3.org/TR/CSP/#directive-style-src-elem
+     *
+     * @param list<string>|string $uri
+     */
+    public function addStyleSrcElem(array|string $uri, ?bool $explicitReporting = null): static
+    {
+        $this->addOption($uri, 'styleSrcElem', $explicitReporting ?? $this->reportOnly);
+
+        return $this;
+    }
+
+    /**
+     * Adds a new value to the `style-src-attr` directive.
+     *
+     * @see https://www.w3.org/TR/CSP/#directive-style-src-attr
+     *
+     * @param list<string>|string $uri
+     */
+    public function addStyleSrcAttr(array|string $uri, ?bool $explicitReporting = null): static
+    {
+        $this->addOption($uri, 'styleSrcAttr', $explicitReporting ?? $this->reportOnly);
+
+        return $this;
+    }
+
+    /**
+     * Adds a new value to the `worker-src` directive.
+     *
+     * @see https://www.w3.org/TR/CSP/#directive-worker-src
+     *
+     * @param list<string>|string $uri
+     */
+    public function addWorkerSrc($uri, ?bool $explicitReporting = null): static
+    {
+        $this->addOption($uri, 'workerSrc', $explicitReporting ?? $this->reportOnly);
+
+        return $this;
+    }
+
     /**
      * Sets whether the user agents should rewrite URL schemes, changing HTTP to HTTPS.
      *
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index 04ebf316cffd..37d1c836b4da 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -433,6 +433,23 @@ public function testScriptSrcElem(): void
         $this->assertContains("script-src-elem 'self' cdn.cloudy.com", $this->getCspDirectives($header));
     }
 
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testScriptSrcAttr(): void
+    {
+        $this->csp->addScriptSrcAttr('cdn.cloudy.com');
+        $this->csp->addScriptSrcAttr('them.com', true);
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('script-src-attr them.com', $this->getCspDirectives($header));
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("script-src-attr 'self' cdn.cloudy.com", $this->getCspDirectives($header));
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testStyleSrc(): void
@@ -450,6 +467,52 @@ public function testStyleSrc(): void
         $this->assertContains("style-src 'self' cdn.cloudy.com", $this->getCspDirectives($header));
     }
 
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testStyleSrcElem(): void
+    {
+        $this->csp->addStyleSrcElem('cdn.cloudy.com');
+        $this->csp->addStyleSrcElem('them.com', true);
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('style-src-elem them.com', $this->getCspDirectives($header));
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("style-src-elem 'self' cdn.cloudy.com", $this->getCspDirectives($header));
+    }
+
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testStyleSrcAttr(): void
+    {
+        $this->csp->addStyleSrcAttr('cdn.cloudy.com');
+        $this->csp->addStyleSrcAttr('them.com', true);
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('style-src-attr them.com', $this->getCspDirectives($header));
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("style-src-attr 'self' cdn.cloudy.com", $this->getCspDirectives($header));
+    }
+
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testWorkerSrc(): void
+    {
+        $this->csp->addWorkerSrc('workers.com');
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains('worker-src workers.com', $this->getCspDirectives($header));
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testBaseURIDefault(): void
diff --git a/user_guide_src/source/changelogs/v4.7.0.rst b/user_guide_src/source/changelogs/v4.7.0.rst
index 7a2af3fc85ee..6bd4f5ee89e1 100644
--- a/user_guide_src/source/changelogs/v4.7.0.rst
+++ b/user_guide_src/source/changelogs/v4.7.0.rst
@@ -340,8 +340,12 @@ Content Security Policy
 
 - Added support for the following CSP Level 3 directives:
     - ``script-src-elem``
+    - ``script-src-attr``
+    - ``style-src-elem``
+    - ``style-src-attr``
+    - ``worker-src``
 
-  Update your CSP configuration in **app/Config/ContentSecurityPolicy.php** to include these new directives as needed.
+  Update your CSP configuration in **app/Config/ContentSecurityPolicy.php** to include these new directives.
 
 Others
 ======
diff --git a/user_guide_src/source/outgoing/csp/012.php b/user_guide_src/source/outgoing/csp/012.php
index 24e145a0fa7b..ccf82ecebcdb 100644
--- a/user_guide_src/source/outgoing/csp/012.php
+++ b/user_guide_src/source/outgoing/csp/012.php
@@ -31,3 +31,10 @@
 $csp->addScriptSrc('scripts.example.com', true); // allow but report requests from here
 $csp->addStyleSrc('css.example.com');
 $csp->addSandbox(['allow-forms', 'allow-scripts']);
+
+// the following CSP3 directives are available in v4.7.0 and later
+$csp->addScriptSrcAttr('trusted.com');
+$csp->addScriptSrcElem('trusted.com');
+$csp->addStyleSrcAttr('trusted.com');
+$csp->addStyleSrcElem('trusted.com');
+$csp->addWorkerSrc('workers.example.com');