Allow set CSP in the Response via config

Author: natanfelles

src/App.php

@@ -27,6 +27,7 @@
 use Framework\Email\Mailers\SMTPMailer;
 use Framework\Helpers\Isolation;
 use Framework\HTTP\AntiCSRF;
+use Framework\HTTP\CSP;
 use Framework\HTTP\Debug\HTTPCollector;
 use Framework\HTTP\Request;
 use Framework\HTTP\Response;
@@ -1181,6 +1182,12 @@ protected static function setResponse(string $instance) : Response
                 ? $service->setNoCache()
                 : $service->setCache($config['cache']['seconds'], $config['cache']['public'] ?? false);
         }
+        if ( ! empty($config['csp'])) {
+            $service->setCsp(new CSP($config['csp']));
+        }
+        if ( ! empty($config['csp_report_only'])) {
+            $service->setCspReportOnly(new CSP($config['csp_report_only']));
+        }
         return static::setService('response', $service, $instance);
     }
 

tests/configs/response.config.php

@@ -10,6 +10,9 @@
 /**
  * @see App::response()
  */
+
+use Framework\HTTP\CSP;
+
 return [
     'default' => [
         'headers' => [
@@ -21,6 +24,20 @@
             'seconds' => 60,
             'public' => true,
         ],
+        'csp' => [
+            CSP::defaultSrc => [
+                'self',
+            ],
+            CSP::styleSrc => [
+                'self',
+                'cdn.foo.tld',
+            ],
+        ],
+        'csp_report_only' => [
+            CSP::defaultSrc => [
+                'self',
+            ],
+        ],
         'request_instance' => 'default',
     ],
 ];