Merge pull request #9100 from kenjis/docs-ContentSecurityPolicy

docs: update PHPDoc in ContentSecurityPolicy

Author: kenjis

phpstan-baseline.php

@@ -5929,12 +5929,6 @@
 	'count' => 1,
 	'path' => __DIR__ . '/system/HTTP/ContentSecurityPolicy.php',
 ];
-$ignoreErrors[] = [
-	// identifier: missingType.iterableValue
-	'message' => '#^Property CodeIgniter\\\\HTTP\\\\ContentSecurityPolicy\\:\\:\\$validSources type has no value type specified in iterable type array\\.$#',
-	'count' => 1,
-	'path' => __DIR__ . '/system/HTTP/ContentSecurityPolicy.php',
-];
 $ignoreErrors[] = [
 	// identifier: codeigniter.superglobalAccess
 	'message' => '#^Accessing offset \'HTTP_USER_AGENT\' directly on \\$_SERVER is discouraged\\.$#',

system/HTTP/ContentSecurityPolicy.php

@@ -31,7 +31,7 @@ class ContentSecurityPolicy
     /**
      * CSP directives
      *
-     * @var array<string, string>
+     * @var array<string, string> [name => property]
      */
     protected array $directives = [
         'base-uri'        => 'baseURI',
@@ -166,7 +166,8 @@ class ContentSecurityPolicy
     protected $sandbox = [];
 
     /**
-     * Used for security enforcement
+     * A set of endpoints to which csp violation reports will be sent when
+     * particular behaviors are prevented.
      *
      * @var string|null
      */
@@ -189,7 +190,7 @@ class ContentSecurityPolicy
     /**
      * Used for security enforcement
      *
-     * @var array
+     * @var list<string>
      */
     protected $validSources = [
         'self',
@@ -242,7 +243,7 @@ class ContentSecurityPolicy
 
     /**
      * An array of header info since we have
-     * to build ourself before passing to Response.
+     * to build ourselves before passing to Response.
      *
      * @var array
      */
@@ -594,6 +595,9 @@ public function addPluginType($mime, ?bool $explicitReporting = null)
      *
      * @see http://www.w3.org/TR/CSP/#directive-report-uri
      *
+     * @param string $uri URL to send reports. Set `''` if you want to remove
+     *                    this directive at runtime.
+     *
      * @return $this
      */
     public function setReportURI(string $uri)

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -379,6 +379,19 @@ public function testReportURI(): void
         $this->assertStringContainsString('report-uri http://example.com/csptracker;', $result);
     }
 
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testRemoveReportURI(): void
+    {
+        $this->prepare();
+        $this->csp->reportOnly(false);
+        $this->csp->setReportURI('');
+        $this->work();
+
+        $result = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertStringNotContainsString('report-uri ', $result);
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testSandboxFlags(): void