From 286fe5143e720d89131eb09833dc217eaf86ae7d Mon Sep 17 00:00:00 2001
From: Younes ENNAJI <younes.ennaji.pro@gmail.com>
Date: Mon, 2 Mar 2026 03:27:04 +0000
Subject: [PATCH] Update ContentSecurityPolicy handling and ResponseExtension

---
 src/Prime/Http/Csp/ContentSecurityPolicyHandler.php  | 12 ++++++++++--
 .../Csp/ContentSecurityPolicyHandlerInterface.php    |  5 +++++
 src/Prime/Http/ResponseExtension.php                 | 10 +++++++++-
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/Prime/Http/Csp/ContentSecurityPolicyHandler.php b/src/Prime/Http/Csp/ContentSecurityPolicyHandler.php
index 37374538..7b6d829a 100644
--- a/src/Prime/Http/Csp/ContentSecurityPolicyHandler.php
+++ b/src/Prime/Http/Csp/ContentSecurityPolicyHandler.php
@@ -44,6 +44,11 @@ final class ContentSecurityPolicyHandler implements ContentSecurityPolicyHandler
         $this->cspDisabled = true;
     }
 
+    public function reset(): void
+    {
+        $this->cspDisabled = false;
+    }
+
     public function updateResponseHeaders(RequestInterface $request, ResponseInterface $response): array
     {
         if ($this->cspDisabled) {
@@ -168,10 +173,13 @@ final class ContentSecurityPolicyHandler implements ContentSecurityPolicyHandler
         $directives = [];
 
         foreach (explode(';', $header ?: '') as $directive) {
-            $parts = explode(' ', trim($directive));
-            if (\count($parts) < 1) { // @phpstan-ignore-line
+            $directive = trim($directive);
+
+            if ('' === $directive) {
                 continue;
             }
+
+            $parts = explode(' ', $directive);
             $name = array_shift($parts);
             $directives[$name] = $parts;
         }
diff --git a/src/Prime/Http/Csp/ContentSecurityPolicyHandlerInterface.php b/src/Prime/Http/Csp/ContentSecurityPolicyHandlerInterface.php
index 39350d77..fb47408a 100644
--- a/src/Prime/Http/Csp/ContentSecurityPolicyHandlerInterface.php
+++ b/src/Prime/Http/Csp/ContentSecurityPolicyHandlerInterface.php
@@ -20,4 +20,9 @@ interface ContentSecurityPolicyHandlerInterface
      * @return array{csp_script_nonce?: ?string, csp_style_nonce?: ?string}
      */
     public function updateResponseHeaders(RequestInterface $request, ResponseInterface $response): array;
+
+    /**
+     * Reset the handler state for long-running processes (Octane, FrankenPHP, etc.).
+     */
+    public function reset(): void;
 }
diff --git a/src/Prime/Http/ResponseExtension.php b/src/Prime/Http/ResponseExtension.php
index 8c61572a..a0b8b3c0 100644
--- a/src/Prime/Http/ResponseExtension.php
+++ b/src/Prime/Http/ResponseExtension.php
@@ -94,7 +94,15 @@ final readonly class ResponseExtension implements ResponseExtensionInterface
         $url = $request->getUri();
 
         foreach ($this->excludedPaths as $regexPattern) {
-            if (preg_match($regexPattern, $url)) {
+            $result = @preg_match($regexPattern, $url);
+
+            if (false === $result) {
+                trigger_error(\sprintf('Invalid regex pattern "%s" in excluded_paths configuration', $regexPattern), \E_USER_WARNING);
+
+                continue;
+            }
+
+            if (1 === $result) {
                 return true;
             }
         }