From cee9ac5b65e573d2572c95fabdf0f1d4e3c74850 Mon Sep 17 00:00:00 2001
From: Mark Unwin <mark.unwin@gmail.com>
Date: Tue, 16 Sep 2025 10:21:46 +1000
Subject: [PATCH 1/3] feat: Add script-src-elem option to CSP options.

Signed-off-by: Mark Unwin <mark.unwin@gmail.com>
---
 app/Config/ContentSecurityPolicy.php  |  7 +++++++
 system/HTTP/ContentSecurityPolicy.php | 25 +++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/app/Config/ContentSecurityPolicy.php b/app/Config/ContentSecurityPolicy.php
index 8096f6cff95e..b720ef54f19d 100644
--- a/app/Config/ContentSecurityPolicy.php
+++ b/app/Config/ContentSecurityPolicy.php
@@ -56,6 +56,13 @@ class ContentSecurityPolicy extends BaseConfig
      */
     public $scriptSrc = 'self';
 
+    /**
+     * Lists allowed scripts' URLs.
+     *
+     * @var list<string>|string
+     */
+    public $scriptSrcElem = 'self';
+
     /**
      * Lists allowed stylesheets' URLs.
      *
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index db1db04e0fdf..cae4fa429bb7 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -42,6 +42,7 @@ class ContentSecurityPolicy
         'object-src'      => 'objectSrc',
         'plugin-types'    => 'pluginTypes',
         'script-src'      => 'scriptSrc',
+        'script-src-elem' => 'scriptSrcElem',
         'style-src'       => 'styleSrc',
         'manifest-src'    => 'manifestSrc',
         'sandbox'         => 'sandbox',
@@ -153,6 +154,13 @@ class ContentSecurityPolicy
      */
     protected $scriptSrc = [];
 
+    /**
+     * Used for security enforcement
+     *
+     * @var array|string
+     */
+    protected $scriptSrcElem = [];
+
     /**
      * The `style-src` directive restricts which styles the user may applies to the protected resource.
      *
@@ -649,6 +657,23 @@ public function addScriptSrc($uri, ?bool $explicitReporting = null)
         return $this;
     }
 
+    /**
+     * Adds a new valid endpoint for javascript file sources. Can be either
+     * a URI class or a simple string.
+     *
+     * @see https://www.w3.org/TR/CSP/#directive-script-src-elem
+     *
+     * @param array|string $uri
+     *
+     * @return $this
+     */
+    public function addScriptSrcElem($uri, ?bool $explicitReporting = null)
+    {
+        $this->addOption($uri, 'scriptSrcElem', $explicitReporting ?? $this->reportOnly);
+
+        return $this;
+    }
+
     /**
      * Adds a new value to the `style-src` directive.
      *

From 221b20fae2a7b981f05f198dc72d55fd50a04523 Mon Sep 17 00:00:00 2001
From: Mark Unwin <mark.unwin@gmail.com>
Date: Tue, 16 Sep 2025 10:34:26 +1000
Subject: [PATCH 2/3] fix: Add missing unit test for script-src-elem.

Signed-off-by: Mark Unwin <mark.unwin@gmail.com>
---
 tests/system/HTTP/ContentSecurityPolicyTest.php | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index e8db11eed9a4..bf618ec3dd81 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -374,6 +374,21 @@ public function testScriptSrc(): void
         $this->assertContains("script-src 'self' cdn.cloudy.com", $this->getCspDirectives($header));
     }
 
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testScriptSrcElem(): void
+    {
+        $this->prepare();
+        $this->csp->addScriptSrcElem('cdn.cloudy.com');
+        $this->csp->addScriptSrcElem('them.com', true);
+        $result = $this->work();
+
+        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertStringContainsString('script-src-elem them.com;', (string) $result);
+        $result = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertStringContainsString("script-src-elem 'self' cdn.cloudy.com;", (string) $result);
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testStyleSrc(): void

From 6442b90310004ea8d924db112f6c0ea55cfae21d Mon Sep 17 00:00:00 2001
From: "John Paul E. Balandan, CPA" <paulbalandan@gmail.com>
Date: Sun, 1 Feb 2026 18:20:45 +0800
Subject: [PATCH 3/3] Fixes

---
 app/Config/ContentSecurityPolicy.php          |  2 +-
 system/HTTP/ContentSecurityPolicy.php         | 23 +++++++++----------
 .../system/HTTP/ContentSecurityPolicyTest.php | 14 ++++++-----
 user_guide_src/source/changelogs/v4.7.0.rst   | 12 ++++++++--
 4 files changed, 30 insertions(+), 21 deletions(-)

diff --git a/app/Config/ContentSecurityPolicy.php b/app/Config/ContentSecurityPolicy.php
index b720ef54f19d..95022eb7ee43 100644
--- a/app/Config/ContentSecurityPolicy.php
+++ b/app/Config/ContentSecurityPolicy.php
@@ -57,7 +57,7 @@ class ContentSecurityPolicy extends BaseConfig
     public $scriptSrc = 'self';
 
     /**
-     * Lists allowed scripts' URLs.
+     * Specifies valid sources for JavaScript <script> elements.
      *
      * @var list<string>|string
      */
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index cae4fa429bb7..00e007d00dec 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -42,10 +42,10 @@ class ContentSecurityPolicy
         'object-src'      => 'objectSrc',
         'plugin-types'    => 'pluginTypes',
         'script-src'      => 'scriptSrc',
-        'script-src-elem' => 'scriptSrcElem',
         'style-src'       => 'styleSrc',
-        'manifest-src'    => 'manifestSrc',
         'sandbox'         => 'sandbox',
+        'manifest-src'    => 'manifestSrc',
+        'script-src-elem' => 'scriptSrcElem',
     ];
 
     /**
@@ -154,13 +154,6 @@ class ContentSecurityPolicy
      */
     protected $scriptSrc = [];
 
-    /**
-     * Used for security enforcement
-     *
-     * @var array|string
-     */
-    protected $scriptSrcElem = [];
-
     /**
      * The `style-src` directive restricts which styles the user may applies to the protected resource.
      *
@@ -193,6 +186,13 @@ class ContentSecurityPolicy
      */
     protected $manifestSrc = [];
 
+    /**
+     * The `script-src-elem` directive applies to all script requests and script blocks.
+     *
+     * @var array<string, bool>|string
+     */
+    protected $scriptSrcElem = [];
+
     /**
      * Instructs user agents to rewrite URL schemes by changing HTTP to HTTPS.
      *
@@ -658,12 +658,11 @@ public function addScriptSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for javascript file sources. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `script-src-elem` directive.
      *
      * @see https://www.w3.org/TR/CSP/#directive-script-src-elem
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index bf618ec3dd81..a73b0627c0b8 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -378,15 +378,17 @@ public function testScriptSrc(): void
     #[RunInSeparateProcess]
     public function testScriptSrcElem(): void
     {
-        $this->prepare();
         $this->csp->addScriptSrcElem('cdn.cloudy.com');
         $this->csp->addScriptSrcElem('them.com', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('script-src-elem them.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("script-src-elem 'self' cdn.cloudy.com;", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('script-src-elem them.com', $this->getCspDirectives($header));
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("script-src-elem 'self' cdn.cloudy.com", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
diff --git a/user_guide_src/source/changelogs/v4.7.0.rst b/user_guide_src/source/changelogs/v4.7.0.rst
index 562c7f5a4da9..fc35ff21254e 100644
--- a/user_guide_src/source/changelogs/v4.7.0.rst
+++ b/user_guide_src/source/changelogs/v4.7.0.rst
@@ -331,8 +331,16 @@ Others
 Model
 =====
 
-Helpers and Functions
-=====================
+HTTP
+====
+
+Content Security Policy
+-----------------------
+
+- Added support for the following CSP Level 3 directives:
+    - ``script-src-elem``
+
+  Update your CSP configuration in **app/Config/ContentSecurityPolicy.php** to include these new directives as needed.
 
 Others
 ======