Merge pull request #7 from MauricioKruijer/rfc8941-support

RFC-8941 support
mazedlx · Oct 25, 2021 · c9273fa · c9273fa
2 parents 3300fc0 + 9d60643
commit c9273fa
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 24 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 All notable changes to `laravel-feature-policy` will be documented in this file
 
+## 1.2.0 - 2021-10-25
+
+- implemented [RFC-8941](https://datatracker.ietf.org/doc/html/rfc8941) Structured Field Values for directive values
+
 ## 1.1.2 - 2021-01-02
 
 - add PHP 8 support

diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# Set Feature-Policy headers in a Laravel app
+# Set Permissions-Policy headers in a Laravel app
 
 **NOW WITH PHP 8 SUPPORT**
 
@@ -8,7 +8,7 @@
 
 This package is strongly inspired by [Spaties](https://spatie.be) [laravel-csp](https://github.com/spatie/laravel-csp) package. Thanks to [Freek van der Herten](https://github.com/freekmurze) and [Thomas Verhelst](https://github.com/TVke) for creating such an awesome package and doing all the heavy lifting!
 
-With Feature-Policy you can control which web platform features to allow and disallow within your web applications. Feature-Policy is a Security Header (like Content-Security-Policy) that is brand new. The list of things you can restrict isn't final yet, I'll add them in time when the specification evolves.
+With Permissions-Policy you can control which web platform permissions to allow and disallow within your web applications. Permissions-Policy is a Security Header (like Content-Security-Policy) that is brand new. The list of things you can restrict isn't final yet, I'll add them in time when the specification evolves.
 
 ## Installation
 
@@ -31,7 +31,7 @@ The contents of the `config/feature-policy.php` file look like this:
 
 return [
     /*
-     * A policy will determine which Feature-Policy headers will be set.
+     * A policy will determine which Permissions-Policy headers will be set.
      * A valid policy extends `Mazedlx\FeaturePolicy\Policies\Policy`
      */
     'policy' => Mazedlx\FeaturePolicy\Policies\Basic::class,
@@ -60,7 +60,7 @@ protected $middlewareGroups = [
 ];
 ```
 
-Alternatively you can add the middleware to the a single route and route group:
+Alternatively you can add the middleware to a single route and route group:
 
 ```php
 // in a routes file
@@ -76,15 +76,15 @@ Route::get('/home', 'HomeController')->middleware(Mazedlx\FeaturePolicy\AddFeatu
 
 ## Usage
 
-This package allows you to define Feature-Policy policies. A Feature-Policy policy determines which Feature-Policy directives will be set in the headers of the response.
+This package allows you to define Permissions-Policy policies. A Feature-Policy policy determines which Permissions-Policy directives will be set in the headers of the response.
 
-An example of a Feature-Policy directive is `microphone`:
+An example of a Permissions-Policy directive is `microphone`:
 
-`Feature-Policy: microphone 'self' https://spatie.be`
+`Permissions-Policy: microphone=(self "https://spatie.be")`
 
-In the above example by specifying `microphone` and allowing it for `'self'` the feature is diabled for all origins except our own and https://spatie.be.
+In the above example by specifying `microphone` and allowing it for `self` makes the permission disabled for all origins except our own and https://spatie.be.
 
-The full list of restrictable directives isn't final yet, but here are some of the things you have access to:
+The full list of directives isn't final yet, but here are some of the things you have access to:
 
 - accelerometer
 - ambient-light-sensor
@@ -105,7 +105,7 @@ The full list of restrictable directives isn't final yet, but here are some of t
 
 You can find the feature definitions at https://github.com/WICG/feature-policy/blob/master/features.md
 
-You can add multiple policy options as an array or as a single string with space-sepearated options:
+You can add multiple policy options as an array or as a single string with space-separated options:
 
 ```php
 // in a policy

diff --git a/src/Policies/Policy.php b/src/Policies/Policy.php
@@ -58,8 +58,11 @@ public function __toString()
             ->map(function (array $values, string $directive) {
                 $valueString = implode(' ', $values);
 
-                return "{$directive} {$valueString}";
-            })->implode(';');
+                return count($values) === 1
+                    ? "{$directive}={$valueString}"
+                    : "{$directive}=({$valueString})";
+
+            })->implode(',');
     }
 
     protected function guardAgainstInvalidDirective(string $directive)
@@ -83,9 +86,9 @@ protected function isSpecialDirectiveValue(string $value)
     protected function sanitizeValue(string $value): string
     {
         if ($this->isSpecialDirectiveValue($value)) {
-            return "'{$value}'";
+            return $value;
         }
 
-        return $value;
+        return "\"{$value}\"";
     }
 }
diff --git a/src/Value.php b/src/Value.php
@@ -6,5 +6,5 @@ abstract class Value
 {
     const ALL = '*';
     const SELF = 'self';
-    const NONE = 'none';
+    const NONE = '()';
 }
diff --git a/tests/AddFeaturePolicyHeadersTest.php b/tests/AddFeaturePolicyHeadersTest.php
@@ -29,7 +29,7 @@ public function it_sets_the_default_feature_policy_headers()
     {
         $headers = $this->getResponseHeaders();
 
-        $this->assertStringContainsString("geolocation 'self'", $headers->get('Permissions-Policy'));
+        $this->assertStringContainsString("geolocation=self", $headers->get('Permissions-Policy'));
     }
 
     /** @test */
@@ -77,7 +77,7 @@ public function configure()
         $headers = $this->getResponseHeaders();
 
         $this->assertEquals(
-            'camera src-1 src-2;fullscreen src-3 src-4',
+            'camera=("src-1" "src-2"),fullscreen=("src-3" "src-4")',
             $headers->get('Permissions-Policy')
         );
     }
@@ -97,13 +97,13 @@ public function configure()
         $headers = $this->getResponseHeaders();
 
         $this->assertEquals(
-            'camera src-1 src-2',
+            'camera=("src-1" "src-2")',
             $headers->get('Permissions-Policy')
         );
     }
 
     /** @test */
-    public function it_quotes_special_directive_values()
+    public function it_doesnt_quotes_special_directive_values()
     {
         $policy = new class extends Policy {
             public function configure()
@@ -117,7 +117,7 @@ public function configure()
         $headers = $this->getResponseHeaders();
 
         $this->assertEquals(
-            "camera 'self'",
+            "camera=self",
             $headers->get('Permissions-Policy')
         );
     }
@@ -137,7 +137,7 @@ public function configure()
         $headers = $this->getResponseHeaders();
 
         $this->assertEquals(
-            "camera src-1 'self' src-2",
+            'camera=("src-1" self "src-2")',
             $headers->get('Permissions-Policy')
         );
     }
@@ -157,7 +157,47 @@ public function configure()
         $headers = $this->getResponseHeaders();
 
         $this->assertEquals(
-            "camera 'self'",
+            'camera=self',
+            $headers->get('Permissions-Policy')
+        );
+    }
+
+    /** @test */
+    public function it_will_render_none_value()
+    {
+        $policy = new class extends Policy {
+            public function configure()
+            {
+                $this->addDirective(Directive::CAMERA, [Value::NONE]);
+            }
+        };
+
+        config(['feature-policy.policy' => get_class($policy)]);
+
+        $headers = $this->getResponseHeaders();
+
+        $this->assertEquals(
+            'camera=()',
+            $headers->get('Permissions-Policy')
+        );
+    }
+
+    /** @test */
+    public function it_will_render_all_value()
+    {
+        $policy = new class extends Policy {
+            public function configure()
+            {
+                $this->addDirective(Directive::CAMERA, [Value::ALL]);
+            }
+        };
+
+        config(['feature-policy.policy' => get_class($policy)]);
+
+        $headers = $this->getResponseHeaders();
+
+        $this->assertEquals(
+            'camera=*',
             $headers->get('Permissions-Policy')
         );
     }
@@ -181,7 +221,7 @@ public function configure()
         $headers = $this->getResponseHeaders('other-route');
 
         $this->assertEquals(
-            'fullscreen custom-policy',
+            'fullscreen="custom-policy"',
             $headers->get('Permissions-Policy')
         );
     }

diff --git a/tests/MiddlewareTest.php b/tests/MiddlewareTest.php
@@ -25,7 +25,7 @@ public function it_sets_the_default_feature_policy_headers()
     {
         $headers = $this->getResponseHeaders();
 
-        $this->assertStringContainsString("geolocation 'self'", $headers->get('Permissions-Policy'));
+        $this->assertStringContainsString('geolocation=self', $headers->get('Permissions-Policy'));
     }
 
     protected function getResponseHeaders(string $url = 'test-route'): HeaderBag