/**
* Adds a directive and it's options to the appropriate header. The $values
* array might have options that are geared toward either the regular or the
* reportOnly header, since it's viable to have both simultaneously.
*
* @param string $name
* @param array|string|null $values
* @param ResponseInterface $response
*/
protected function addToHeader(string $name, $values = null, ResponseInterface &$response)
{
if (empty($values)) {
// It's possible that directives like 'sandbox' will not
// have any values passed in, so add them to the main policy.
$response->appendHeader('Content-Security-Policy', $name);
return;
}
if (is_string($values)) {
$values = [$values => 0];
}
$sources = [];
$reportSources = [];
foreach ($values as $value => $reportOnly) {
if (is_numeric($value) && is_string($reportOnly) && !empty($reportOnly)) {
$value = $reportOnly;
$reportOnly = 0;
}
if ($reportOnly === true) {
$reportSources[] = in_array($value, $this->validSources) ? "'{$value}'" : $value;
} else {
if (strpos($value, 'nonce-') === 0) {
$sources[] = "'{$value}'";
} else {
$sources[] = in_array($value, $this->validSources) ? "'{$value}'" : $value;
}
}
}
if (count($sources)) {
$response->appendHeader('Content-Security-Policy', $name . ' ' . implode(' ', $sources));
}
if (count($reportSources)) {
$response->appendHeader('Content-Security-Policy-Report-Only', $name . ' ' . implode(' ', $reportSources));
}
}
