MC-19927: Implement hash-whitelisting, dynamic CSP

Oleksandr Gorkun · Oleksandr Gorkun · commit 8b1d87bb369e · 2019-12-05T16:01:00.000-06:00
diff --git a/app/code/Magento/Csp/Helper/InlineUtil.php b/app/code/Magento/Csp/Helper/InlineUtil.php
@@ -97,7 +97,7 @@ private function extractRemoteFonts(string $styleContent): array
         $urlsFound = [[]];
         preg_match_all('/\@font\-face\s*?\{([^\}]*)[^\}]*?\}/im', $styleContent, $fontFaces);
         foreach ($fontFaces[1] as $fontFaceContent) {
-            preg_match_all('/url\((http(s)?\:[^\)]+)\)/i', $fontFaceContent, $urls);
+            preg_match_all('/url\([\'\"]?(http(s)?\:[^\)]+)[\'\"]?\)/i', $fontFaceContent, $urls);
             $urlsFound[] = $urls[1];
         }
 
diff --git a/dev/tests/integration/testsuite/Magento/Csp/Helper/InlineUtilTest.php b/dev/tests/integration/testsuite/Magento/Csp/Helper/InlineUtilTest.php
@@ -139,17 +139,17 @@ public function getTags(): array
                 'style',
                 ['type' => 'text/css'],
                 "\n    @font-face {\n        font-family: \"MyCustomFont\";"
-                    ."\n        src: url(http://magento.com/static/font.ttf);\n    }\n"
+                    ."\n        src: url(\"http://magento.com/static/font.ttf\");\n    }\n"
                     ."    @font-face {\n        font-family: \"MyCustomFont2\";"
-                    ."\n        src: url(https://magento.com/static/font-2.ttf),"
+                    ."\n        src: url('https://magento.com/static/font-2.ttf'),"
                     ."\n             url(static/font.ttf),"
                     ."\n             url(https://devdocs.magento.com/static/another-font.woff),"
                     ."\n             url(http://devdocs.magento.com/static/font.woff);\n    }\n",
                 "<style type=\"text/css\">"
                     ."\n    @font-face {\n        font-family: \"MyCustomFont\";"
-                    ."\n        src: url(http://magento.com/static/font.ttf);\n    }\n"
+                    ."\n        src: url(\"http://magento.com/static/font.ttf\");\n    }\n"
                     ."    @font-face {\n        font-family: \"MyCustomFont2\";"
-                    ."\n        src: url(https://magento.com/static/font-2.ttf),"
+                    ."\n        src: url('https://magento.com/static/font-2.ttf'),"
                     ."\n             url(static/font.ttf),"
                     ."\n             url(https://devdocs.magento.com/static/another-font.woff),"
                     ."\n             url(http://devdocs.magento.com/static/font.woff);\n    }\n"
@@ -174,7 +174,7 @@ public function getTags(): array
                         false,
                         false,
                         [],
-                        ['ha3DQAQqMpmhqPFaZpQV5tjgDc1QzTkIlfJ2R9hflVw=' => 'sha256']
+                        ['TP6Ulnz1kstJ8PYUKvowgJm0phHhtqJnJCnWxKLXkf0=' => 'sha256']
                     )
                 ]
             ],

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ private function extractRemoteFonts(string $styleContent): array`
`97`	`97`	`$urlsFound = [[]];`
`98`	`98`	`preg_match_all('/\@font\-face\s?\{([^\}])[^\}]*?\}/im', $styleContent, $fontFaces);`
`99`	`99`	`foreach ($fontFaces[1] as $fontFaceContent) {`
`100`		`- preg_match_all('/url\((http(s)?\:[^\)]+)\)/i', $fontFaceContent, $urls);`
	`100`	`+ preg_match_all('/url\([\'\"]?(http(s)?\:[^\)]+)[\'\"]?\)/i', $fontFaceContent, $urls);`
`101`	`101`	`$urlsFound[] = $urls[1];`
`102`	`102`	`}`
`103`	`103`