bug symfony#21318 Don't add csp-headers if none are required (arjenm)

This PR was merged into the 3.2 branch.

Discussion
----------

Don't add csp-headers if none are required

| Q             | A
| ------------- | ---
| Branch?       | 3.2
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | This PR is also the ticket
| License       | MIT

In 3.2 a tool to adjust Content Security Policy headers in combination with the WebProfiler was added. We encountered a bug in its behavior.
We had CSP-headers that did not have a script-src/style-src nor a default-src (it was something like `form-action: https:`). In that scenario, the ContentSecurityPolicyHandler would add `script-src: 'unsafe-inline' 'nonce-....'`, but that would actually change the "everything is allowed scenario" into "only inline and nonce-... is allowed". The result was _only_ the javascript of WebProfiler was allowed, rather than everything.

This PR fixes the scenario where no default-src nor a script-src/style-src is provided. It simply continue's rather than treats it as an empty list of rules that need additional rules.

~A bug I did find, but not fix, is the fact that that `'unsafe-inline'` is ignored in at least Firefox and Chrome due to the fact there is also a nonce-element in the rule.~

Commits
-------

6fecc94 Don't add csp-headers if none are required

Author: fabpot

src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php

@@ -135,7 +135,8 @@ private function updateCspHeaders(Response $response, array $nonces = array())
                     if (isset($headers[$header]['default-src'])) {
                         $headers[$header][$type] = $headers[$header]['default-src'];
                     } else {
-                        $headers[$header][$type] = array();
+                        // If there is no script-src/style-src and no default-src, no additional rules required.
+                        continue;
                     }
                 }
                 $ruleIsSet = true;

src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php

@@ -118,6 +118,13 @@ public function provideRequestAndResponsesForOnKernelResponse()
                 $this->createResponse($responseNonceHeaders),
                 array('Content-Security-Policy' => null, 'X-Content-Security-Policy' => null),
             ),
+            array(
+                $nonce,
+                array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
+                $this->createRequest(),
+                $this->createResponse(array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:')),
+                array('Content-Security-Policy' => 'frame-ancestors https: ; form-action: https:', 'X-Content-Security-Policy' => null),
+            ),
             array(
                 $nonce,
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
@@ -130,7 +137,7 @@ public function provideRequestAndResponsesForOnKernelResponse()
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
                 $this->createResponse(array('Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'')),
-                array('Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null),
+                array('Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'', 'X-Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
@@ -144,21 +151,21 @@ public function provideRequestAndResponsesForOnKernelResponse()
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
                 $this->createResponse(array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'')),
-                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy' => null),
+                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\'', 'Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
                 $this->createResponse(array('X-Content-Security-Policy' => 'script-src \'self\'')),
-                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy' => null),
+                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy' => null),
             ),
             array(
                 $nonce,
                 array('csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce),
                 $this->createRequest(),
                 $this->createResponse(array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'sha384-LALALALALAAL\'')),
-                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'sha384-LALALALALAAL\' \'nonce-'.$nonce.'\'; style-src \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy' => null),
+                array('X-Content-Security-Policy' => 'script-src \'self\' \'unsafe-inline\' \'sha384-LALALALALAAL\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy' => null),
             ),
             array(
                 $nonce,