HttpExtension: added support for 'http:' in CSP

Author: dg

src/Bridges/HttpDI/HttpExtension.php

@@ -140,6 +140,9 @@ private static function buildPolicy(array $config): string
 			$policy = $policy === true ? [] : (array) $policy;
 			$value .= $type;
 			foreach ($policy as $item) {
+				if (is_array($item)) {
+					$item = key($item) . ':';
+				}
 				$value .= !isset($nonQuoted[$type]) && preg_match('#^[a-z-]+$#D', $item) ? " '$item'" : " $item";
 			}
 			$value .= '; ';

tests/Http.DI/HttpExtension.csp.phpt

@@ -30,6 +30,7 @@ http:
 		style-src:
 			- self
 			- https://example.com
+			- http:
 		require-sri-for: style
 		sandbox: allow-forms
 		plugin-types: application/x-java-applet
@@ -50,7 +51,7 @@ $container->initialize();
 $headers = headers_list();
 
 preg_match('#nonce-([\w+/]+=*)#', implode($headers), $nonce);
-Assert::contains("Content-Security-Policy: default-src 'self' https://example.com; upgrade-insecure-requests; script-src 'nonce-$nonce[1]'; style-src 'self' https://example.com; require-sri-for style; sandbox allow-forms; plugin-types application/x-java-applet;", $headers);
+Assert::contains("Content-Security-Policy: default-src 'self' https://example.com; upgrade-insecure-requests; script-src 'nonce-$nonce[1]'; style-src 'self' https://example.com http:; require-sri-for style; sandbox allow-forms; plugin-types application/x-java-applet;", $headers);
 Assert::contains("Content-Security-Policy-Report-Only: default-src 'nonce-$nonce[1]'; report-uri https://example.com/report; upgrade-insecure-requests;", $headers);