CSP: Added missing directives and keywords (#2664)

edukisto · web-flow · commit f154134221a2 · 2020-12-01T21:10:29.000+01:00
This adds missing CSP and UISecurity directives and keywords.
diff --git a/components/prism-csp.js b/components/prism-csp.js
@@ -10,17 +10,20 @@
  */
 
 Prism.languages.csp = {
-	'directive':  {
-		pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,
+	'directive': {
+		pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|prefetch|script|style|worker)-src|disown-opener|form-action|frame-(?:ancestors|options)|input-protection(?:-(?:clip|selectors))?|navigate-to|plugin-types|policy-uri|referrer|reflected-xss|report-(?:to|uri)|require-sri-for|sandbox|(?:script|style)-src-(?:attr|elem)|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,
 		lookbehind: true,
 		alias: 'keyword'
 	},
 	'safe': {
-		pattern: /'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z\d+=/]+)'/,
+		// CSP2 hashes and nonces are base64 values. CSP3 accepts both base64 and base64url values.
+		// See https://tools.ietf.org/html/rfc4648#section-4
+		// See https://tools.ietf.org/html/rfc4648#section-5
+		pattern: /'(?:deny|none|report-sample|self|strict-dynamic|top-only|(?:nonce|sha(?:256|384|512))-[-+/\d=_a-z]+)'/i,
 		alias: 'selector'
 	},
 	'unsafe': {
-		pattern: /(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/,
+		pattern: /(?:'unsafe-(?:allow-redirects|dynamic|eval|hash-attributes|hashed-attributes|hashes|inline)'|\*)/i,
 		alias: 'function'
 	}
 };
diff --git a/components/prism-csp.min.js b/components/prism-csp.min.js
diff --git a/tests/languages/csp/directive_with_source_expression_feature.test b/tests/languages/csp/directive_with_source_expression_feature.test
@@ -1,10 +1,24 @@
-script-src example.com;
+input-protection tolerance=50; input-protection-clip before=60; input-protection-selectors div; policy-uri https://example.com; script-src example.com; script-src-attr 'none'; style-src-elem 'none';
 
 ----------------------------------------------------
 
 [
+	["directive", "input-protection"],
+	" tolerance=50; ",
+	["directive", "input-protection-clip"],
+	" before=60; ",
+	["directive", "input-protection-selectors"],
+	" div; ",
+	["directive", "policy-uri"],
+	" https://example.com; ",
 	["directive", "script-src"],
-	" example.com;"
+	" example.com; ",
+	["directive", "script-src-attr"],
+	["safe", "'none'"],
+	"; ",
+	["directive", "style-src-elem"],
+	["safe", "'none'"],
+	";"
 ]
 
 ----------------------------------------------------
diff --git a/tests/languages/csp/safe_feature.test b/tests/languages/csp/safe_feature.test
@@ -1,10 +1,11 @@
-default-src 'none'; style-src 'self' 'strict-dynamic' 'nonce-yeah' 'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4=';
+default-src 'none' 'report-sample'; style-src 'self' 'strict-dynamic' 'nonce-yeah' 'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4=';
 
 ----------------------------------------------------
 
 [
 	["directive", "default-src"],
 	["safe", "'none'"],
+	["safe", "'report-sample'"],
 	"; ",
 	["directive", "style-src"],
 	["safe", "'self'"],
diff --git a/tests/languages/csp/unsafe_feature.test b/tests/languages/csp/unsafe_feature.test
@@ -1,12 +1,18 @@
-script-src 'unsafe-inline' 'unsafe-eval' 'unsafe-hashed-attributes';
+navigate-to 'unsafe-allow-redirects'; script-src 'unsafe-dynamic' 'unsafe-eval' 'unsafe-hash-attributes' 'unsafe-hashed-attributes' 'unsafe-hashes' 'unsafe-inline';
 
 ----------------------------------------------------
 
 [
+	["directive", "navigate-to"],
+	["unsafe", "'unsafe-allow-redirects'"],
+	"; ",
 	["directive", "script-src"],
-	["unsafe", "'unsafe-inline'"],
+	["unsafe", "'unsafe-dynamic'"],
 	["unsafe", "'unsafe-eval'"],
+	["unsafe", "'unsafe-hash-attributes'"],
 	["unsafe", "'unsafe-hashed-attributes'"],
+	["unsafe", "'unsafe-hashes'"],
+	["unsafe", "'unsafe-inline'"],
 	";"
 ]
 
