+ added runtime setter

+ added to libraries/response doc

Signed-off-by: Christoph Potas <christoph286@googlemail.com>

system/HTTP/ContentSecurityPolicy.php

@@ -438,6 +438,26 @@ class ContentSecurityPolicy
 
 		return $this;
 	}
+	
+	//--------------------------------------------------------------------
+
+	/**
+	 * Adds a new valid endpoint for manifest sources. Can be either
+	 * a URI class or simple string.
+	 *
+	 * @see https://www.w3.org/TR/CSP/#directive-manifest-src
+	 *
+	 * @param	   $uri
+	 * @param bool $reportOnly
+	 *
+	 * @return $this
+	 */
+	public function addManifestSrc($uri, bool $reportOnly = false)
+	{
+		$this->addOption($uri, 'manifestSrc', $reportOnly);
+
+		return $this;
+	}
 
 	//--------------------------------------------------------------------
 

user_guide_src/source/libraries/response.rst

@@ -179,6 +179,7 @@ class holds a number of methods that map pretty clearly to the appropriate heade
 	$response->CSP->addFrameAncestor('none', $reportOnly);
 	$response->CSP->addImageSrc('cdn.example.com', $reportOnly);
 	$response->CSP->addMediaSrc('cdn.example.com', $reportOnly);
+	$response->CSP->addManifestSrc('cdn.example.com', $reportOnly);
 	$response->CSP->addObjectSrc('cdn.example.com', $reportOnly);
 	$response->CSP->addPluginType('application/pdf', $reportOnly);
 	$response->CSP->addScriptSrc('scripts.example.com', $reportOnly);