From 834b0a956c0bffac3a9dbbc3edb880b98a1bd509 Mon Sep 17 00:00:00 2001
From: "John Paul E. Balandan, CPA" <paulbalandan@gmail.com>
Date: Sun, 1 Feb 2026 04:07:34 +0800
Subject: [PATCH] refactor: cleanup `ContentSecurityPolicy`

---
 app/Config/ContentSecurityPolicy.php          |  10 +-
 system/HTTP/ContentSecurityPolicy.php         | 351 +++++++-------
 .../system/HTTP/ContentSecurityPolicyTest.php | 450 +++++++++++-------
 utils/phpstan-baseline/empty.notAllowed.neon  |   7 +-
 utils/phpstan-baseline/loader.neon            |   2 +-
 .../missingType.iterableValue.neon            | 182 +------
 6 files changed, 450 insertions(+), 552 deletions(-)

diff --git a/app/Config/ContentSecurityPolicy.php b/app/Config/ContentSecurityPolicy.php
index 2ac41a70dadb..8096f6cff95e 100644
--- a/app/Config/ContentSecurityPolicy.php
+++ b/app/Config/ContentSecurityPolicy.php
@@ -38,12 +38,12 @@ class ContentSecurityPolicy extends BaseConfig
     public bool $upgradeInsecureRequests = false;
 
     // -------------------------------------------------------------------------
-    // Sources allowed
+    // CSP DIRECTIVES SETTINGS
     // NOTE: once you set a policy to 'none', it cannot be further restricted
     // -------------------------------------------------------------------------
 
     /**
-     * Will default to self if not overridden
+     * Will default to `'self'` if not overridden
      *
      * @var list<string>|string|null
      */
@@ -160,17 +160,17 @@ class ContentSecurityPolicy extends BaseConfig
     public $sandbox;
 
     /**
-     * Nonce tag for style
+     * Nonce placeholder for style tags.
      */
     public string $styleNonceTag = '{csp-style-nonce}';
 
     /**
-     * Nonce tag for script
+     * Nonce placeholder for script tags.
      */
     public string $scriptNonceTag = '{csp-script-nonce}';
 
     /**
-     * Replace nonce tag automatically
+     * Replace nonce tag automatically?
      */
     public bool $autoNonce = true;
 }
diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index a6a2b26a71fc..db1db04e0fdf 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -28,12 +28,7 @@
  */
 class ContentSecurityPolicy
 {
-    /**
-     * CSP directives
-     *
-     * @var array<string, string> [name => property]
-     */
-    protected array $directives = [
+    private const DIRECTIVES_ALLOWING_SOURCE_LISTS = [
         'base-uri'        => 'baseURI',
         'child-src'       => 'childSrc',
         'connect-src'     => 'connectSrc',
@@ -50,145 +45,162 @@ class ContentSecurityPolicy
         'style-src'       => 'styleSrc',
         'manifest-src'    => 'manifestSrc',
         'sandbox'         => 'sandbox',
-        'report-uri'      => 'reportURI',
     ];
 
     /**
-     * Used for security enforcement
+     * Map of CSP directives to this class's properties.
      *
-     * @var array|string
+     * @var array<string, string>
+     */
+    protected array $directives = [
+        ...self::DIRECTIVES_ALLOWING_SOURCE_LISTS,
+        'report-uri' => 'reportURI',
+    ];
+
+    /**
+     * The `base-uri` directive restricts the URLs that can be used to specify the document base URL.
+     *
+     * @var array<string, bool>|string|null
      */
     protected $baseURI = [];
 
     /**
-     * Used for security enforcement
+     * The `child-src` directive governs the creation of nested browsing contexts as well
+     * as Worker execution contexts.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $childSrc = [];
 
     /**
-     * Used for security enforcement
+     * The `connect-src` directive restricts which URLs the protected resource can load using script interfaces.
      *
-     * @var array
+     * @var array<string, bool>|string
      */
     protected $connectSrc = [];
 
     /**
-     * Used for security enforcement
+     * The `default-src` directive sets a default source list for a number of directives.
      *
-     * @var array|string
+     * @var array<string, bool>|string|null
      */
     protected $defaultSrc = [];
 
     /**
-     * Used for security enforcement
+     * The `font-src` directive restricts from where the protected resource can load fonts.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $fontSrc = [];
 
     /**
-     * Used for security enforcement
+     * The `form-action` directive restricts which URLs can be used as the action of HTML form elements.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $formAction = [];
 
     /**
-     * Used for security enforcement
+     * The `frame-ancestors` directive indicates whether the user agent should allow embedding
+     * the resource using a `frame`, `iframe`, `object`, `embed` or `applet` element,
+     * or equivalent functionality in non-HTML resources.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $frameAncestors = [];
 
     /**
-     * Used for security enforcement
+     * The `frame-src` directive restricts the URLs which may be loaded into child navigables.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $frameSrc = [];
 
     /**
-     * Used for security enforcement
+     * The `img-src` directive restricts from where the protected resource can load images.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $imageSrc = [];
 
     /**
-     * Used for security enforcement
+     * The `media-src` directive restricts from where the protected resource can load video,
+     * audio, and associated text tracks.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $mediaSrc = [];
 
     /**
-     * Used for security enforcement
+     * The `object-src` directive restricts from where the protected resource can load plugins.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $objectSrc = [];
 
     /**
-     * Used for security enforcement
+     * The `plugin-types` directive restricts the set of plugins that can be invoked by the
+     * protected resource by limiting the types of resources that can be embedded.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $pluginTypes = [];
 
     /**
-     * Used for security enforcement
+     * The `script-src` directive restricts which scripts the protected resource can execute.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $scriptSrc = [];
 
     /**
-     * Used for security enforcement
+     * The `style-src` directive restricts which styles the user may applies to the protected resource.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
     protected $styleSrc = [];
 
     /**
-     * Used for security enforcement
+     * The `sandbox` directive specifies an HTML sandbox policy that the user agent applies to the protected resource.
      *
-     * @var array|string
+     * @var array<string, bool>|string
      */
-    protected $manifestSrc = [];
+    protected $sandbox = [];
 
     /**
-     * Used for security enforcement
+     * The `report-uri` directive specifies a URL to which the user agent sends reports about policy violation.
      *
-     * @var array|string
+     * @var string|null
      */
-    protected $sandbox = [];
+    protected $reportURI;
+
+    // --------------------------------------------------------------
+    // CSP Level 3 Directives
+    // --------------------------------------------------------------
 
     /**
-     * A set of endpoints to which csp violation reports will be sent when
-     * particular behaviors are prevented.
+     * The `manifest-src` directive restricts the URLs from which application manifests may be loaded.
      *
-     * @var string|null
+     * @var array<string, bool>|string
      */
-    protected $reportURI;
+    protected $manifestSrc = [];
 
     /**
-     * Used for security enforcement
+     * Instructs user agents to rewrite URL schemes by changing HTTP to HTTPS.
      *
      * @var bool
      */
     protected $upgradeInsecureRequests = false;
 
     /**
-     * Used for security enforcement
+     * Set to `true` to make all directives report-only instead of enforced.
      *
      * @var bool
      */
     protected $reportOnly = false;
 
     /**
-     * Used for security enforcement
+     * Set of valid source keywords.
      *
      * @var list<string>
      */
@@ -200,60 +212,59 @@ class ContentSecurityPolicy
     ];
 
     /**
-     * Used for security enforcement
+     * Set of nonces generated.
      *
-     * @var array
+     * @var list<string>
      */
     protected $nonces = [];
 
     /**
-     * Nonce for style
+     * Nonce for style tags.
      *
-     * @var string
+     * @var string|null
      */
     protected $styleNonce;
 
     /**
-     * Nonce for script
+     * Nonce for script tags.
      *
-     * @var string
+     * @var string|null
      */
     protected $scriptNonce;
 
     /**
-     * Nonce tag for style
+     * Nonce placeholder for style tags.
      *
      * @var string
      */
     protected $styleNonceTag = '{csp-style-nonce}';
 
     /**
-     * Nonce tag for script
+     * Nonce placeholder for script tags.
      *
      * @var string
      */
     protected $scriptNonceTag = '{csp-script-nonce}';
 
     /**
-     * Replace nonce tag automatically
+     * Replace nonce tags automatically?
      *
      * @var bool
      */
     protected $autoNonce = true;
 
     /**
-     * An array of header info since we have
-     * to build ourselves before passing to Response.
+     * An array of header info since we have to build
+     * ourselves before passing to a Response object.
      *
-     * @var array
+     * @var array<string, string>
      */
     protected $tempHeaders = [];
 
     /**
-     * An array of header info to build
-     * that should only be reported.
+     * An array of header info to build that should only be reported.
      *
-     * @var array
+     * @var array<string, string>
      */
     protected $reportOnlyHeaders = [];
 
@@ -265,27 +276,38 @@ class ContentSecurityPolicy
     protected $CSPEnabled = false;
 
     /**
-     * Constructor.
-     *
      * Stores our default values from the Config file.
      */
     public function __construct(ContentSecurityPolicyConfig $config)
     {
-        $appConfig        = config(App::class);
-        $this->CSPEnabled = $appConfig->CSPEnabled;
+        $this->CSPEnabled = config(App::class)->CSPEnabled;
 
         foreach (get_object_vars($config) as $setting => $value) {
-            if (property_exists($this, $setting)) {
-                $this->{$setting} = $value;
+            if (! property_exists($this, $setting)) {
+                continue;
+            }
+
+            if (
+                in_array($setting, self::DIRECTIVES_ALLOWING_SOURCE_LISTS, true)
+                && is_array($value)
+                && array_is_list($value)
+            ) {
+                // Config sets these directives as `list<string>|string`
+                // but we need them as `array<string, bool>` internally.
+                $this->{$setting} = array_combine($value, array_fill(0, count($value), $this->reportOnly));
+
+                continue;
             }
+
+            $this->{$setting} = $value;
         }
 
         if (! is_array($this->styleSrc)) {
-            $this->styleSrc = [$this->styleSrc];
+            $this->styleSrc = [$this->styleSrc => $this->reportOnly];
         }
 
         if (! is_array($this->scriptSrc)) {
-            $this->scriptSrc = [$this->scriptSrc];
+            $this->scriptSrc = [$this->scriptSrc => $this->reportOnly];
         }
     }
 
@@ -304,7 +326,7 @@ public function getStyleNonce(): string
     {
         if ($this->styleNonce === null) {
             $this->styleNonce = bin2hex(random_bytes(12));
-            $this->styleSrc[] = 'nonce-' . $this->styleNonce;
+            $this->addStyleSrc('nonce-' . $this->styleNonce);
         }
 
         return $this->styleNonce;
@@ -317,7 +339,7 @@ public function getScriptNonce(): string
     {
         if ($this->scriptNonce === null) {
             $this->scriptNonce = bin2hex(random_bytes(12));
-            $this->scriptSrc[] = 'nonce-' . $this->scriptNonce;
+            $this->addScriptSrc('nonce-' . $this->scriptNonce);
         }
 
         return $this->scriptNonce;
@@ -356,13 +378,13 @@ public function reportOnly(bool $value = true)
     }
 
     /**
-     * Adds a new baseURI value. Can be either a URI class or a simple string.
+     * Adds a new value to the `base-uri` directive.
      *
-     * baseURI restricts the URLs that can appear in a page's <base> element.
+     * `base-uri` restricts the URLs that can appear in a page's <base> element.
      *
      * @see http://www.w3.org/TR/CSP/#directive-base-uri
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -374,16 +396,15 @@ public function addBaseURI($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for a form's action. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `child-src` directive.
      *
-     * child-src lists the URLs for workers and embedded frame contents.
+     * `child-src` lists the URLs for workers and embedded frame contents.
      * For example: child-src https://youtube.com would enable embedding
      * videos from YouTube but not from other origins.
      *
      * @see http://www.w3.org/TR/CSP/#directive-child-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -395,15 +416,14 @@ public function addChildSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for a form's action. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `connect-src` directive.
      *
-     * connect-src limits the origins to which you can connect
+     * `connect-src` limits the origins to which you can connect
      * (via XHR, WebSockets, and EventSource).
      *
      * @see http://www.w3.org/TR/CSP/#directive-connect-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -415,15 +435,14 @@ public function addConnectSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for a form's action. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `default-src` directive.
      *
-     * default_src is the URI that is used for many of the settings when
+     * `default-src` is the URI that is used for many of the settings when
      * no other source has been set.
      *
      * @see http://www.w3.org/TR/CSP/#directive-default-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -435,14 +454,13 @@ public function setDefaultSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for a form's action. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `font-src` directive.
      *
-     * font-src specifies the origins that can serve web fonts.
+     * `font-src` specifies the origins that can serve web fonts.
      *
      * @see http://www.w3.org/TR/CSP/#directive-font-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -454,12 +472,11 @@ public function addFontSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for a form's action. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `form-action` directive.
      *
      * @see http://www.w3.org/TR/CSP/#directive-form-action
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -471,12 +488,11 @@ public function addFormAction($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new resource that should allow embedding the resource using
-     * <frame>, <iframe>, <object>, <embed>, or <applet>
+     * Adds a new value to the `frame-ancestors` directive.
      *
      * @see http://www.w3.org/TR/CSP/#directive-frame-ancestors
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -488,12 +504,11 @@ public function addFrameAncestor($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for valid frame sources. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `frame-src` directive.
      *
      * @see http://www.w3.org/TR/CSP/#directive-frame-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -505,12 +520,11 @@ public function addFrameSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for valid image sources. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `img-src` directive.
      *
      * @see http://www.w3.org/TR/CSP/#directive-img-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -522,12 +536,11 @@ public function addImageSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for valid video and audio. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `media-src` directive.
      *
      * @see http://www.w3.org/TR/CSP/#directive-media-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -539,12 +552,11 @@ public function addMediaSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for manifest sources. Can be either
-     * a URI class or simple string.
+     * Adds a new value to the `manifest-src` directive.
      *
      * @see https://www.w3.org/TR/CSP/#directive-manifest-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -556,12 +568,11 @@ public function addManifestSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for Flash and other plugin sources. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `object-src` directive.
      *
      * @see http://www.w3.org/TR/CSP/#directive-object-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -573,12 +584,11 @@ public function addObjectSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Limits the types of plugins that can be used. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `plugin-types` directive.
      *
      * @see http://www.w3.org/TR/CSP/#directive-plugin-types
      *
-     * @param array|string $mime One or more plugin mime types, separate by spaces
+     * @param list<string>|string $mime
      *
      * @return $this
      */
@@ -591,7 +601,7 @@ public function addPluginType($mime, ?bool $explicitReporting = null)
 
     /**
      * Specifies a URL where a browser will send reports when a content
-     * security policy is violated. Can be either a URI class or a simple string.
+     * security policy is violated.
      *
      * @see http://www.w3.org/TR/CSP/#directive-report-uri
      *
@@ -608,12 +618,11 @@ public function setReportURI(string $uri)
     }
 
     /**
-     * specifies an HTML sandbox policy that the user agent applies to
-     * the protected resource.
+     * Adds a new value to the `sandbox` directive.
      *
      * @see http://www.w3.org/TR/CSP/#directive-sandbox
      *
-     * @param array|string $flags An array of sandbox flags that can be added to the directive.
+     * @param list<string>|string $flags
      *
      * @return $this
      */
@@ -625,12 +634,11 @@ public function addSandbox($flags, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for javascript file sources. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `script-src` directive.
      *
-     * @see http://www.w3.org/TR/CSP/#directive-connect-src
+     * @see http://www.w3.org/TR/CSP/#directive-script-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -642,12 +650,11 @@ public function addScriptSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Adds a new valid endpoint for CSS file sources. Can be either
-     * a URI class or a simple string.
+     * Adds a new value to the `style-src` directive.
      *
-     * @see http://www.w3.org/TR/CSP/#directive-connect-src
+     * @see http://www.w3.org/TR/CSP/#directive-style-src
      *
-     * @param array|string $uri
+     * @param list<string>|string $uri
      *
      * @return $this
      */
@@ -659,8 +666,7 @@ public function addStyleSrc($uri, ?bool $explicitReporting = null)
     }
 
     /**
-     * Sets whether the user agents should rewrite URL schemes, changing
-     * HTTP to HTTPS.
+     * Sets whether the user agents should rewrite URL schemes, changing HTTP to HTTPS.
      *
      * @return $this
      */
@@ -682,15 +688,13 @@ protected function addOption($options, string $target, ?bool $explicitReporting
     {
         // Ensure we have an array to work with...
         if (is_string($this->{$target})) {
-            $this->{$target} = [$this->{$target}];
+            $this->{$target} = [$this->{$target} => $this->reportOnly];
         }
 
-        if (is_array($options)) {
-            foreach ($options as $opt) {
-                $this->{$target}[$opt] = $explicitReporting ?? $this->reportOnly;
-            }
-        } else {
-            $this->{$target}[$options] = $explicitReporting ?? $this->reportOnly;
+        $options = is_array($options) ? $options : [$options];
+
+        foreach ($options as $option) {
+            $this->{$target}[$option] = $explicitReporting ?? $this->reportOnly;
         }
     }
 
@@ -703,15 +707,14 @@ protected function addOption($options, string $target, ?bool $explicitReporting
      */
     protected function generateNonces(ResponseInterface $response)
     {
-        $body = $response->getBody();
+        $body = (string) $response->getBody();
 
-        if (empty($body)) {
+        if ($body === '') {
             return;
         }
 
         // Replace style and script placeholders with nonces
-        $pattern = '/(' . preg_quote($this->styleNonceTag, '/')
-            . '|' . preg_quote($this->scriptNonceTag, '/') . ')/';
+        $pattern = sprintf('/(%s|%s)/', preg_quote($this->styleNonceTag, '/'), preg_quote($this->scriptNonceTag, '/'));
 
         $body = preg_replace_callback($pattern, function ($match): string {
             $nonce = $match[0] === $this->styleNonceTag ? $this->getStyleNonce() : $this->getScriptNonce();
@@ -731,21 +734,23 @@ protected function generateNonces(ResponseInterface $response)
      */
     protected function buildHeaders(ResponseInterface $response)
     {
-        // Ensure both headers are available and arrays...
         $response->setHeader('Content-Security-Policy', []);
         $response->setHeader('Content-Security-Policy-Report-Only', []);
 
-        // inject default base & default URIs if needed
-        if (empty($this->baseURI)) {
+        if (in_array($this->baseURI, ['', null, []], true)) {
             $this->baseURI = 'self';
         }
 
-        if (empty($this->defaultSrc)) {
+        if (in_array($this->defaultSrc, ['', null, []], true)) {
             $this->defaultSrc = 'self';
         }
 
         foreach ($this->directives as $name => $property) {
-            if (! empty($this->{$property})) {
+            if ($name === 'report-uri' && (string) $this->reportURI === '') {
+                continue;
+            }
+
+            if ($this->{$property} !== null) {
                 $this->addToHeader($name, $this->{$property});
             }
         }
@@ -753,41 +758,39 @@ protected function buildHeaders(ResponseInterface $response)
         // Compile our own header strings here since if we just
         // append it to the response, it will be joined with
         // commas, not semi-colons as we need.
-        if (! empty($this->tempHeaders)) {
-            $header = '';
+        if ($this->tempHeaders !== []) {
+            $header = [];
 
             foreach ($this->tempHeaders as $name => $value) {
-                $header .= " {$name} {$value};";
+                $header[] = trim("{$name} {$value}");
             }
 
-            // add token only if needed
             if ($this->upgradeInsecureRequests) {
-                $header .= ' upgrade-insecure-requests;';
+                $header[] = 'upgrade-insecure-requests';
             }
 
-            $response->appendHeader('Content-Security-Policy', $header);
+            $response->appendHeader('Content-Security-Policy', implode('; ', $header));
+            $this->tempHeaders = [];
         }
 
-        if (! empty($this->reportOnlyHeaders)) {
-            $header = '';
+        if ($this->reportOnlyHeaders !== []) {
+            $header = [];
 
             foreach ($this->reportOnlyHeaders as $name => $value) {
-                $header .= " {$name} {$value};";
+                $header[] = "{$name} {$value}";
             }
 
-            $response->appendHeader('Content-Security-Policy-Report-Only', $header);
+            $response->appendHeader('Content-Security-Policy-Report-Only', implode('; ', $header));
+            $this->reportOnlyHeaders = [];
         }
-
-        $this->tempHeaders       = [];
-        $this->reportOnlyHeaders = [];
     }
 
     /**
-     * Adds a directive and it's options to the appropriate header. The $values
+     * Adds a directive and its options to the appropriate header. The $values
      * array might have options that are geared toward either the regular or the
      * reportOnly header, since it's viable to have both simultaneously.
      *
-     * @param array|string|null $values
+     * @param array<string, bool>|string $values
      *
      * @return void
      */
@@ -801,19 +804,14 @@ protected function addToHeader(string $name, $values = null)
         $reportSources = [];
 
         foreach ($values as $value => $reportOnly) {
-            if (is_numeric($value) && is_string($reportOnly) && ($reportOnly !== '')) {
-                $value      = $reportOnly;
-                $reportOnly = $this->reportOnly;
-            }
-
-            if (str_starts_with($value, 'nonce-')) {
+            if (str_starts_with($value, 'nonce-') || in_array($value, $this->validSources, true)) {
                 $value = "'{$value}'";
             }
 
-            if ($reportOnly === true) {
-                $reportSources[] = in_array($value, $this->validSources, true) ? "'{$value}'" : $value;
+            if ($reportOnly) {
+                $reportSources[] = $value;
             } else {
-                $sources[] = in_array($value, $this->validSources, true) ? "'{$value}'" : $value;
+                $sources[] = $value;
             }
         }
 
@@ -826,15 +824,14 @@ protected function addToHeader(string $name, $values = null)
         }
     }
 
-    /**
-     * Clear the directive.
-     *
-     * @param string $directive CSP directive
-     */
     public function clearDirective(string $directive): void
     {
-        if ($directive === 'report-uris') {
-            $this->{$this->directives[$directive]} = null;
+        if (! array_key_exists($directive, $this->directives)) {
+            return;
+        }
+
+        if ($directive === 'report-uri') {
+            $this->reportURI = null;
 
             return;
         }
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index 06dde464a4a4..e8db11eed9a4 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -40,43 +40,54 @@ final class ContentSecurityPolicyTest extends CIUnitTestCase
     protected function setUp(): void
     {
         parent::setUp();
+
+        $this->prepare();
     }
 
-    // Having this method as setUp() doesn't work - can't find Config\App !?
-    protected function prepare(bool $CSPEnabled = true): void
+    private function prepare(bool $CSPEnabled = true): void
     {
         $this->resetServices();
 
-        $config             = config('App');
+        $config = config(App::class);
+
         $config->CSPEnabled = $CSPEnabled;
-        $this->response     = new Response($config);
+
+        $this->response = new Response($config);
         $this->response->pretend(false);
+
         $this->csp = $this->response->getCSP();
     }
 
-    protected function work(string $parm = 'Hello'): bool
+    private function work(string $body = 'Hello'): bool
     {
-        $body = $parm;
         $this->response->setBody($body);
         $this->response->setCookie('foo', 'bar');
 
         ob_start();
         $this->response->send();
-        $buffer = ob_clean();
-        if (ob_get_level() > 0) {
-            ob_end_clean();
+
+        return ob_end_clean();
+    }
+
+    /**
+     * @return list<string>
+     */
+    private function getCspDirectives(string $header): array
+    {
+        if (str_starts_with($header, 'Content-Security-Policy-Report-Only:')) {
+            $header = trim(substr($header, 36));
+        } elseif (str_starts_with($header, 'Content-Security-Policy:')) {
+            $header = trim(substr($header, 24));
         }
 
-        return $buffer;
+        return array_map(trim(...), explode(';', $header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testExistence(): void
     {
-        $this->prepare();
-        $this->work();
-
+        $this->assertTrue($this->work());
         $this->assertHeaderEmitted('Content-Security-Policy:');
     }
 
@@ -84,10 +95,8 @@ public function testExistence(): void
     #[RunInSeparateProcess]
     public function testReportOnly(): void
     {
-        $this->prepare();
         $this->csp->reportOnly(false);
-        $this->work();
-
+        $this->assertTrue($this->work());
         $this->assertHeaderEmitted('Content-Security-Policy:');
     }
 
@@ -95,359 +104,438 @@ public function testReportOnly(): void
     #[RunInSeparateProcess]
     public function testDefaults(): void
     {
-        $this->prepare();
+        $this->assertTrue($this->work());
 
-        $result = $this->work();
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("base-uri 'self';", (string) $result);
-        $this->assertStringContainsString("connect-src 'self';", (string) $result);
-        $this->assertStringContainsString("default-src 'self';", (string) $result);
-        $this->assertStringContainsString("img-src 'self';", (string) $result);
-        $this->assertStringContainsString("script-src 'self';", (string) $result);
-        $this->assertStringContainsString("style-src 'self';", (string) $result);
+        $directives = $this->getCspDirectives($header);
+        $this->assertContains("base-uri 'self'", $directives);
+        $this->assertContains("connect-src 'self'", $directives);
+        $this->assertContains("default-src 'self'", $directives);
+        $this->assertContains("img-src 'self'", $directives);
+        $this->assertContains("script-src 'self'", $directives);
+        $this->assertContains("style-src 'self'", $directives);
+    }
+
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testConfigSetsListAsDirectivesValues(): void
+    {
+        $config              = new CSPConfig();
+        $config->defaultSrc  = ['self', 'example.com'];
+        $config->scriptSrc   = ['self', 'scripts.example.com'];
+        $config->styleSrc    = ['self', 'styles.example.com'];
+        $config->fontSrc     = ['self', 'fonts.example.com'];
+        $config->imageSrc    = ['self', 'images.example.com'];
+        $config->connectSrc  = ['self', 'api.example.com'];
+        $config->frameSrc    = ['self', 'frames.example.com'];
+        $config->childSrc    = ['self', 'childs.example.com'];
+        $config->objectSrc   = ['self', 'objects.example.com'];
+        $config->mediaSrc    = ['self', 'media.example.com'];
+        $config->manifestSrc = ['self', 'manifests.example.com'];
+        $config->pluginTypes = ['application/x-shockwave-flash', 'application/pdf'];
+
+        $csp = new ContentSecurityPolicy($config);
+
+        $response = new Response(new App());
+        $response->pretend(true);
+
+        $response->setBody('Blah blah blah blah');
+        $csp->finalize($response);
+
+        $directives = $this->getCspDirectives($response->getHeaderLine('Content-Security-Policy'));
+        $this->assertContains("default-src 'self' example.com", $directives);
+        $this->assertContains("script-src 'self' scripts.example.com", $directives);
+        $this->assertContains("style-src 'self' styles.example.com", $directives);
+        $this->assertContains("font-src 'self' fonts.example.com", $directives);
+        $this->assertContains("img-src 'self' images.example.com", $directives);
+        $this->assertContains("connect-src 'self' api.example.com", $directives);
+        $this->assertContains("frame-src 'self' frames.example.com", $directives);
+        $this->assertContains("child-src 'self' childs.example.com", $directives);
+        $this->assertContains("object-src 'self' objects.example.com", $directives);
+        $this->assertContains("media-src 'self' media.example.com", $directives);
+        $this->assertContains("manifest-src 'self' manifests.example.com", $directives);
+        $this->assertContains('plugin-types application/x-shockwave-flash application/pdf', $directives);
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testChildSrc(): void
     {
-        $this->prepare();
         $this->csp->addChildSrc('evil.com', true);
         $this->csp->addChildSrc('good.com', false);
-        $result = $this->work();
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("child-src 'self' good.com", $this->getCspDirectives($header));
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('child-src evil.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("child-src 'self' good.com;", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('child-src evil.com', $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testConnectSrc(): void
     {
-        $this->prepare();
         $this->csp->reportOnly(true);
         $this->csp->addConnectSrc('iffy.com');
         $this->csp->addConnectSrc('maybe.com');
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString("connect-src 'self' iffy.com maybe.com;", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains("connect-src 'self' iffy.com maybe.com", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testFontSrc(): void
     {
-        $this->prepare();
         $this->csp->reportOnly(true);
         $this->csp->addFontSrc('iffy.com');
         $this->csp->addFontSrc('fontsrus.com', false);
-        $result = $this->work();
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('font-src iffy.com', $this->getCspDirectives($header));
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('font-src iffy.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString('font-src fontsrus.com;', (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains('font-src fontsrus.com', $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testFormAction(): void
     {
-        $this->prepare();
         $this->csp->reportOnly(true);
         $this->csp->addFormAction('surveysrus.com');
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString("form-action 'self' surveysrus.com;", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains("form-action 'self' surveysrus.com", $this->getCspDirectives($header));
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringNotContainsString("form-action 'self';", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertNotContains("form-action 'self'", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testFrameAncestor(): void
     {
-        $this->prepare();
         $this->csp->addFrameAncestor('self');
         $this->csp->addFrameAncestor('them.com', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('frame-ancestors them.com', $this->getCspDirectives($header));
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('frame-ancestors them.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("frame-ancestors 'self';", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("frame-ancestors 'self'", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testFrameSrc(): void
     {
-        $this->prepare();
         $this->csp->addFrameSrc('self');
         $this->csp->addFrameSrc('them.com', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('frame-src them.com', $this->getCspDirectives($header));
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('frame-src them.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("frame-src 'self';", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("frame-src 'self'", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testImageSrc(): void
     {
-        $this->prepare();
         $this->csp->addImageSrc('cdn.cloudy.com');
         $this->csp->addImageSrc('them.com', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('img-src them.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("img-src 'self' cdn.cloudy.com;", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('img-src them.com', $this->getCspDirectives($header));
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("img-src 'self' cdn.cloudy.com", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testMediaSrc(): void
     {
-        $this->prepare();
         $this->csp->addMediaSrc('self');
         $this->csp->addMediaSrc('them.com', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('media-src them.com', $this->getCspDirectives($header));
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('media-src them.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("media-src 'self';", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("media-src 'self'", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testManifestSrc(): void
     {
-        $this->prepare();
         $this->csp->addManifestSrc('cdn.cloudy.com');
         $this->csp->addManifestSrc('them.com', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('manifest-src them.com', $this->getCspDirectives($header));
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('manifest-src them.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString('manifest-src cdn.cloudy.com;', (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains('manifest-src cdn.cloudy.com', $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testPluginType(): void
     {
-        $this->prepare();
         $this->csp->addPluginType('self');
         $this->csp->addPluginType('application/x-shockwave-flash', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('plugin-types application/x-shockwave-flash;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("plugin-types 'self';", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('plugin-types application/x-shockwave-flash', $this->getCspDirectives($header));
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("plugin-types 'self'", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testPluginArray(): void
     {
-        $this->prepare();
         $this->csp->addPluginType('application/x-shockwave-flash');
         $this->csp->addPluginType('application/wacky-hacky');
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString('plugin-types application/x-shockwave-flash application/wacky-hacky;', (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains('plugin-types application/x-shockwave-flash application/wacky-hacky', $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testObjectSrc(): void
     {
-        $this->prepare();
         $this->csp->addObjectSrc('cdn.cloudy.com');
         $this->csp->addObjectSrc('them.com', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('object-src them.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("object-src 'self' cdn.cloudy.com;", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('object-src them.com', $this->getCspDirectives($header));
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("object-src 'self' cdn.cloudy.com", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testScriptSrc(): void
     {
-        $this->prepare();
         $this->csp->addScriptSrc('cdn.cloudy.com');
         $this->csp->addScriptSrc('them.com', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('script-src them.com', $this->getCspDirectives($header));
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('script-src them.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("script-src 'self' cdn.cloudy.com;", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("script-src 'self' cdn.cloudy.com", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testStyleSrc(): void
     {
-        $this->prepare();
         $this->csp->addStyleSrc('cdn.cloudy.com');
         $this->csp->addStyleSrc('them.com', true);
-        $result = $this->work();
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
+        $this->assertIsString($header);
+        $this->assertContains('style-src them.com', $this->getCspDirectives($header));
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy-Report-Only');
-        $this->assertStringContainsString('style-src them.com;', (string) $result);
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("style-src 'self' cdn.cloudy.com;", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("style-src 'self' cdn.cloudy.com", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testBaseURIDefault(): void
     {
-        $this->prepare();
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("base-uri 'self';", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("base-uri 'self'", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testBaseURI(): void
     {
-        $this->prepare();
         $this->csp->addBaseURI('example.com');
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString('base-uri example.com;', (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains('base-uri example.com', $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testBaseURIRich(): void
     {
-        $this->prepare();
         $this->csp->addBaseURI(['self', 'example.com']);
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("base-uri 'self' example.com;", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains("base-uri 'self' example.com", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testDefaultSrc(): void
     {
-        $this->prepare();
         $this->csp->reportOnly(false);
         $this->csp->setDefaultSrc('maybe.com');
         $this->csp->setDefaultSrc('iffy.com');
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString('default-src iffy.com;', (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains('default-src iffy.com', $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testReportURI(): void
     {
-        $this->prepare();
         $this->csp->reportOnly(false);
         $this->csp->setReportURI('http://example.com/csptracker');
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString('report-uri http://example.com/csptracker;', (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains('report-uri http://example.com/csptracker', $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testRemoveReportURI(): void
     {
-        $this->prepare();
         $this->csp->reportOnly(false);
         $this->csp->setReportURI('');
-        $this->work();
+        $this->assertTrue($this->work());
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertStringNotContainsString('report-uri', $header);
+    }
+
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testSandboxEmptyFlag(): void
+    {
+        $this->csp->addSandbox('');
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringNotContainsString('report-uri ', (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains('sandbox', $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testSandboxFlags(): void
     {
-        $this->prepare();
         $this->csp->reportOnly(false);
         $this->csp->addSandbox(['allow-popups', 'allow-top-navigation']);
-        //      $this->csp->addSandbox('allow-popups');
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString('sandbox allow-popups allow-top-navigation;', (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains('sandbox allow-popups allow-top-navigation', $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testUpgradeInsecureRequests(): void
     {
-        $this->prepare();
         $this->csp->upgradeInsecureRequests();
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString('upgrade-insecure-requests;', (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertContains('upgrade-insecure-requests', $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testBodyEmpty(): void
     {
-        $this->prepare();
-        $body = '';
-        $this->response->setBody($body);
+        $this->response->setBody('');
         $this->csp->finalize($this->response);
-        $this->assertSame($body, $this->response->getBody());
+        $this->assertSame('', $this->response->getBody());
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testBodyScriptNonce(): void
     {
-        $this->prepare();
         $body = 'Blah blah {csp-script-nonce} blah blah';
+
         $this->response->setBody($body);
         $this->csp->addScriptSrc('cdn.cloudy.com');
+        $this->assertTrue($this->work($body));
 
-        $result     = $this->work($body);
         $nonceStyle = array_filter(
             $this->getPrivateProperty($this->csp, 'styleSrc'),
             static fn ($value): bool => str_starts_with($value, 'nonce-'),
+            ARRAY_FILTER_USE_KEY,
         );
-
-        $this->assertStringContainsString('nonce=', (string) $this->response->getBody());
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString('nonce-', (string) $result);
         $this->assertSame([], $nonceStyle);
+
+        $responseBody = $this->response->getBody();
+        $this->assertIsString($responseBody);
+        $this->assertStringContainsString('nonce=', $responseBody);
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertStringContainsString('nonce-', $header);
     }
 
     public function testBodyScriptNonceCustomScriptTag(): void
@@ -508,21 +596,25 @@ public function testBodyStyleNonceDisableAutoNonce(): void
     #[RunInSeparateProcess]
     public function testBodyStyleNonce(): void
     {
-        $this->prepare();
         $body = 'Blah blah {csp-style-nonce} blah blah';
         $this->response->setBody($body);
         $this->csp->addStyleSrc('cdn.cloudy.com');
+        $this->assertTrue($this->work($body));
 
-        $result      = $this->work($body);
         $nonceScript = array_filter(
             $this->getPrivateProperty($this->csp, 'scriptSrc'),
             static fn ($value): bool => str_starts_with($value, 'nonce-'),
+            ARRAY_FILTER_USE_KEY,
         );
-
-        $this->assertStringContainsString('nonce=', (string) $this->response->getBody());
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString('nonce-', (string) $result);
         $this->assertSame([], $nonceScript);
+
+        $responseBody = $this->response->getBody();
+        $this->assertIsString($responseBody);
+        $this->assertStringContainsString('nonce=', $responseBody);
+
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertStringContainsString('nonce-', $header);
     }
 
     public function testBodyStyleNonceCustomStyleTag(): void
@@ -545,22 +637,21 @@ public function testBodyStyleNonceCustomStyleTag(): void
     #[RunInSeparateProcess]
     public function testHeaderWrongCaseNotFound(): void
     {
-        $this->prepare();
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('content-security-policy');
-        $this->assertNull($result);
+        $header = $this->getHeaderEmitted('content-security-policy');
+        $this->assertNull($header);
     }
 
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testHeaderIgnoreCase(): void
     {
-        $this->prepare();
-        $result = $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('content-security-policy', true);
-        $this->assertStringContainsString("base-uri 'self';", (string) $result);
+        $header = $this->getHeaderEmitted('content-security-policy', true);
+        $this->assertIsString($header);
+        $this->assertContains("base-uri 'self'", $this->getCspDirectives($header));
     }
 
     #[PreserveGlobalState(false)]
@@ -568,27 +659,21 @@ public function testHeaderIgnoreCase(): void
     public function testCSPDisabled(): void
     {
         $this->prepare(false);
-        $this->work();
-        $this->response->getCSP()->addStyleSrc('https://example.com');
+        $this->assertTrue($this->work());
 
+        $this->response->getCSP()->addStyleSrc('https://example.com');
         $this->assertHeaderNotEmitted('content-security-policy', true);
     }
 
     public function testGetScriptNonce(): void
     {
-        $this->prepare();
-
         $nonce = $this->csp->getScriptNonce();
-
         $this->assertMatchesRegularExpression('/\A[0-9a-z]{24}\z/', $nonce);
     }
 
     public function testGetStyleNonce(): void
     {
-        $this->prepare();
-
         $nonce = $this->csp->getStyleNonce();
-
         $this->assertMatchesRegularExpression('/\A[0-9a-z]{24}\z/', $nonce);
     }
 
@@ -596,30 +681,31 @@ public function testGetStyleNonce(): void
     #[RunInSeparateProcess]
     public function testHeaderScriptNonceEmittedOnceGetScriptNonceCalled(): void
     {
-        $this->prepare();
-
         $this->csp->getScriptNonce();
-        $this->work();
+        $this->assertTrue($this->work());
 
-        $result = $this->getHeaderEmitted('Content-Security-Policy');
-        $this->assertStringContainsString("script-src 'self' 'nonce-", (string) $result);
+        $header = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertIsString($header);
+        $this->assertStringContainsString("script-src 'self' 'nonce-", $header);
     }
 
     public function testClearDirective(): void
     {
-        $this->prepare();
-
+        $this->csp->addFontSrc('fonts.example.com');
         $this->csp->addStyleSrc('css.example.com');
-        $this->csp->clearDirective('style-src');
-
         $this->csp->setReportURI('http://example.com/csp/reports');
+
+        $this->csp->clearDirective('fonts-src'); // intentional wrong directive
+        $this->csp->clearDirective('style-src');
         $this->csp->clearDirective('report-uri');
+
         $this->csp->finalize($this->response);
 
         $header = $this->response->getHeaderLine('Content-Security-Policy');
 
-        $this->assertStringNotContainsString('style-src ', $header);
-        $this->assertStringNotContainsString('css.example.com', $header);
-        $this->assertStringNotContainsString('report-uri', $header);
+        $directives = $this->getCspDirectives($header);
+        $this->assertContains('font-src fonts.example.com', $directives);
+        $this->assertNotContains('style-src css.example.com', $directives);
+        $this->assertNotContains('report-uri http://example.com/csp/reports', $directives);
     }
 }
diff --git a/utils/phpstan-baseline/empty.notAllowed.neon b/utils/phpstan-baseline/empty.notAllowed.neon
index 9eaa16221db1..0f92e89f912e 100644
--- a/utils/phpstan-baseline/empty.notAllowed.neon
+++ b/utils/phpstan-baseline/empty.notAllowed.neon
@@ -1,4 +1,4 @@
-# total 220 errors
+# total 214 errors
 
 parameters:
     ignoreErrors:
@@ -212,11 +212,6 @@ parameters:
             count: 10
             path: ../../system/HTTP/CURLRequest.php
 
-        -
-            message: '#^Construct empty\(\) is not allowed\. Use more strict comparison\.$#'
-            count: 6
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
         -
             message: '#^Construct empty\(\) is not allowed\. Use more strict comparison\.$#'
             count: 1
diff --git a/utils/phpstan-baseline/loader.neon b/utils/phpstan-baseline/loader.neon
index 716ac0c5aa96..7c302e27351d 100644
--- a/utils/phpstan-baseline/loader.neon
+++ b/utils/phpstan-baseline/loader.neon
@@ -1,4 +1,4 @@
-# total 2164 errors
+# total 2122 errors
 
 includes:
     - argument.type.neon
diff --git a/utils/phpstan-baseline/missingType.iterableValue.neon b/utils/phpstan-baseline/missingType.iterableValue.neon
index 66a3b4d712ac..40f5697844e5 100644
--- a/utils/phpstan-baseline/missingType.iterableValue.neon
+++ b/utils/phpstan-baseline/missingType.iterableValue.neon
@@ -1,4 +1,4 @@
-# total 1305 errors
+# total 1269 errors
 
 parameters:
     ignoreErrors:
@@ -2637,186 +2637,6 @@ parameters:
             count: 1
             path: ../../system/HTTP/CURLRequest.php
 
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addBaseURI\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addChildSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addConnectSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addFontSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addFormAction\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addFrameAncestor\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addFrameSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addImageSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addManifestSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addMediaSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addObjectSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addPluginType\(\) has parameter \$mime with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addSandbox\(\) has parameter \$flags with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addScriptSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addStyleSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:addToHeader\(\) has parameter \$values with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Method CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:setDefaultSrc\(\) has parameter \$uri with no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$baseURI type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$childSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$connectSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$defaultSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$fontSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$formAction type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$frameAncestors type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$frameSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$imageSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$manifestSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$mediaSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$nonces type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$objectSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$pluginTypes type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$reportOnlyHeaders type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$sandbox type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$scriptSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$styleSrc type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
-        -
-            message: '#^Property CodeIgniter\\HTTP\\ContentSecurityPolicy\:\:\$tempHeaders type has no value type specified in iterable type array\.$#'
-            count: 1
-            path: ../../system/HTTP/ContentSecurityPolicy.php
-
         -
             message: '#^Method CodeIgniter\\HTTP\\Files\\FileCollection\:\:all\(\) return type has no value type specified in iterable type array\.$#'
             count: 1