feat: enclose hash-based CSP directive values in single quotes

system/HTTP/ContentSecurityPolicy.php

@@ -843,7 +843,13 @@ protected function addToHeader(string $name, $values = null)
         $reportSources = [];
 
         foreach ($values as $value => $reportOnly) {
-            if (str_starts_with($value, 'nonce-') || in_array($value, $this->validSources, true)) {
+            if (
+                in_array($value, $this->validSources, true)
+                || str_starts_with($value, 'nonce-')
+                || str_starts_with($value, 'sha256-')
+                || str_starts_with($value, 'sha384-')
+                || str_starts_with($value, 'sha512-')
+            ) {
                 $value = "'{$value}'";
             }
 

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -692,6 +692,27 @@ public function testBodyStyleNonceCustomStyleTag(): void
         $this->assertStringContainsString('nonce=', (string) $response->getBody());
     }
 
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testHashDigestsInScriptSrc(): void
+    {
+        $sha256 = sprintf('sha256-%s', base64_encode(hash('sha256', 'test-script', true)));
+        $sha384 = sprintf('sha384-%s', base64_encode(hash('sha384', 'test-script', true)));
+        $sha512 = sprintf('sha512-%s', base64_encode(hash('sha512', 'test-script', true)));
+
+        $this->csp->addScriptSrc($sha256);
+        $this->csp->addScriptSrc($sha384);
+        $this->csp->addScriptSrc($sha512);
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains(
+            sprintf("script-src 'self' '%s' '%s' '%s'", $sha256, $sha384, $sha512),
+            $this->getCspDirectives($header),
+        );
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testHeaderWrongCaseNotFound(): void

user_guide_src/source/changelogs/v4.7.0.rst

@@ -280,7 +280,6 @@ Libraries
 - **Cache:** Added support for HTTP status in ``ResponseCache``.
 - **Cache:** Added ``Config\Cache::$cacheStatusCodes`` to control which HTTP status codes are allowed to be cached by the ``PageCache`` filter. Defaults to ``[]`` (all status codes for backward compatibility). Recommended value: ``[200]`` to only cache successful responses. See :ref:`Setting $cacheStatusCodes <web_page_caching_cache_status_codes>` for details.
 - **Cache:** Added `APCu <https://www.php.net/apcu>`_ caching driver.
-- **ContentSecurityPolicy:** Added new CSP3 keyword-sources to support the latest CSP3 specification.
 - **CURLRequest:** Added ``shareConnection`` config item to change default share connection.
 - **CURLRequest:** Added ``dns_cache_timeout`` option to change default DNS cache timeout.
 - **CURLRequest:** Added ``fresh_connect`` options to enable/disable request fresh connection.
@@ -338,6 +337,17 @@ HTTP
 Content Security Policy
 -----------------------
 
+- Added support for the new CSP Level 3 keywords:
+    - ``'strict-dynamic'``
+    - ``'unsafe-hashes'``
+    - ``'report-sample'``
+    - ``'unsafe-allow-redirects'``
+    - ``'wasm-unsafe-eval'``
+    - ``'trusted-types-eval'``
+    - ``'report-sha256'``
+    - ``'report-sha384'``
+    - ``'report-sha512'``
+- Hash values for CSP ``script-src`` and ``style-src`` directives can now use SHA-256, SHA-384, and SHA-512 digests.
 - Added support for the following CSP Level 3 directives:
     - ``script-src-elem``