feat: Add script-src-elem option to CSP options.

Signed-off-by: Mark Unwin <[email protected]>

Author: mark-unwin

app/Config/ContentSecurityPolicy.php

@@ -56,6 +56,13 @@ class ContentSecurityPolicy extends BaseConfig
      */
     public $scriptSrc = 'self';
 
+    /**
+     * Lists allowed scripts' URLs.
+     *
+     * @var list<string>|string
+     */
+    public $scriptSrcElem = 'self';
+
     /**
      * Lists allowed stylesheets' URLs.
      *

system/HTTP/ContentSecurityPolicy.php

@@ -42,6 +42,7 @@ class ContentSecurityPolicy
         'object-src'      => 'objectSrc',
         'plugin-types'    => 'pluginTypes',
         'script-src'      => 'scriptSrc',
+        'script-src-elem' => 'scriptSrcElem',
         'style-src'       => 'styleSrc',
         'manifest-src'    => 'manifestSrc',
         'sandbox'         => 'sandbox',
@@ -153,6 +154,13 @@ class ContentSecurityPolicy
      */
     protected $scriptSrc = [];
 
+    /**
+     * Used for security enforcement
+     *
+     * @var array|string
+     */
+    protected $scriptSrcElem = [];
+
     /**
      * The `style-src` directive restricts which styles the user may applies to the protected resource.
      *
@@ -649,6 +657,23 @@ public function addScriptSrc($uri, ?bool $explicitReporting = null)
         return $this;
     }
 
+    /**
+     * Adds a new valid endpoint for javascript file sources. Can be either
+     * a URI class or a simple string.
+     *
+     * @see https://www.w3.org/TR/CSP/#directive-script-src-elem
+     *
+     * @param array|string $uri
+     *
+     * @return $this
+     */
+    public function addScriptSrcElem($uri, ?bool $explicitReporting = null)
+    {
+        $this->addOption($uri, 'scriptSrcElem', $explicitReporting ?? $this->reportOnly);
+
+        return $this;
+    }
+
     /**
      * Adds a new value to the `style-src` directive.
      *