feat: Add script-src-elem option to CSP options.

app/Config/ContentSecurityPolicy.php

@@ -56,6 +56,13 @@ class ContentSecurityPolicy extends BaseConfig
      */
     public $scriptSrc = 'self';
 
+    /**
+     * Lists allowed scripts' URLs.
+     *
+     * @var list<string>|string
+     */
+    public $scriptSrcElem = 'self';
+
     /**
      * Lists allowed stylesheets' URLs.
      *

system/HTTP/ContentSecurityPolicy.php

@@ -47,6 +47,7 @@ class ContentSecurityPolicy
         'object-src'      => 'objectSrc',
         'plugin-types'    => 'pluginTypes',
         'script-src'      => 'scriptSrc',
+        'script-src-elem' => 'scriptSrcElem',
         'style-src'       => 'styleSrc',
         'manifest-src'    => 'manifestSrc',
         'sandbox'         => 'sandbox',
@@ -144,6 +145,13 @@ class ContentSecurityPolicy
      */
     protected $scriptSrc = [];
 
+    /**
+     * Used for security enforcement
+     *
+     * @var array|string
+     */
+    protected $scriptSrcElem = [];
+
     /**
      * Used for security enforcement
      *
@@ -641,6 +649,23 @@ public function addScriptSrc($uri, ?bool $explicitReporting = null)
         return $this;
     }
 
+    /**
+     * Adds a new valid endpoint for javascript file sources. Can be either
+     * a URI class or a simple string.
+     *
+     * @see https://www.w3.org/TR/CSP/#directive-script-src-elem
+     *
+     * @param array|string $uri
+     *
+     * @return $this
+     */
+    public function addScriptSrcElem($uri, ?bool $explicitReporting = null)
+    {
+        $this->addOption($uri, 'scriptSrcElem', $explicitReporting ?? $this->reportOnly);
+
+        return $this;
+    }
+
     /**
      * Adds a new valid endpoint for CSS file sources. Can be either
      * a URI class or a simple string.

system/Honeypot/Exceptions/HoneypotException.php

@@ -41,6 +41,8 @@ public static function forNoNameField()
      * Thrown when the hidden value of config is false.
      *
      * @return static
+     *
+     * @deprecated 4.6.4 Never used.
      */
     public static function forNoHiddenValue()
     {

system/I18n/Exceptions/I18nException.php

@@ -72,7 +72,7 @@ public static function forInvalidOverDay(string $lastDay, string $day)
      */
     public static function forInvalidHour(string $hour)
     {
-        return new static(lang('Time.invalidHour', [$hour]));
+        return new static(lang('Time.invalidHours', [$hour]));
     }
 
     /**

system/Images/Handlers/ImageMagickHandler.php

@@ -320,7 +320,7 @@ protected function supportedFormatCheck()
         switch ($this->image()->imageType) {
             case IMAGETYPE_WEBP:
                 if (! in_array('WEBP', Imagick::queryFormats(), true)) {
-                    throw ImageException::forInvalidImageCreate(lang('images.webpNotSupported'));
+                    throw ImageException::forInvalidImageCreate(lang('Images.webpNotSupported'));
                 }
                 break;
         }

system/Language/en/Honeypot.php

@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) CodeIgniter Foundation <[email protected]>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+// Honeypot language settings
+return [
+    'noTemplate'      => 'The HTML template for the Honeypot is not configured.',
+    'noNameField'     => 'The name of the Honeypot field is not set.',
+    'theClientIsABot' => 'The Honeypot client may be a bot.',
+];

system/Language/en/Router.php

@@ -16,5 +16,5 @@
     'invalidParameter'         => 'A parameter does not match the expected type.',
     'missingDefaultRoute'      => 'Unable to determine what should be displayed. A default route has not been specified in the routing file.',
     'invalidDynamicController' => 'A dynamic controller is not allowed for security reasons. Route handler: "{0}"',
-    'invalidControllerName'    => 'The namespace delimiter is a backslash (\), not a slash (/). Route handler: "{0}"',
+    'invalidControllerName'    => 'The namespace delimiter is a backslash (\\), not a slash (/). Route handler: "{0}"',
 ];

system/Router/Exceptions/RouterException.php

@@ -28,7 +28,7 @@ class RouterException extends FrameworkException implements ExceptionInterface
      */
     public static function forInvalidParameterType()
     {
-        return new static(lang('Router.invalidParameterType'));
+        return new static(lang('Router.invalidParameter'));
     }
 
     /**

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -302,6 +302,21 @@ public function testScriptSrc(): void
         $this->assertStringContainsString("script-src 'self' cdn.cloudy.com;", (string) $result);
     }
 
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testScriptSrcElem(): void
+    {
+        $this->prepare();
+        $this->csp->addScriptSrcElem('cdn.cloudy.com');
+        $this->csp->addScriptSrcElem('them.com', true);
+        $result = $this->work();
+
+        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertStringContainsString('script-src-elem them.com;', (string) $result);
+        $result = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertStringContainsString("script-src-elem 'self' cdn.cloudy.com;", (string) $result);
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testStyleSrc(): void

user_guide_src/source/changelogs/v4.6.4.rst

@@ -18,6 +18,8 @@ BREAKING
 Message Changes
 ***************
 
+- Added ``Honeypot.noTemplate``, ``Honeypot.noNameField``, ``Honeypot.theClientIsABot``.
+
 *******
 Changes
 *******
@@ -28,6 +30,9 @@ Changes
 Deprecations
 ************
 
+- **Exception:**
+    - The ``CodeIgniter\Honeypot\Exceptions\HoneypotException::forNoHiddenValue()`` method has been deprecated. Never used.
+
 **********
 Bugs Fixed
 **********