release: fixes

- Refactored Permissions-Policy and Accept-CH headers. The hints value is now dynamically generated based on the current Retina, Smart Scaling, and Network Optimization settings, ensuring that only relevant device-specific optimizations are applied.
- Enhance security.

Author: selul

composer.json

@@ -59,6 +59,6 @@
     "php": ">=7.4",
     "codeinwp/themeisle-sdk": "^3.3",
     "codeinwp/optimole-sdk": "^1.2",
-    "enshrined/svg-sanitize": "^0.21.0"
+    "enshrined/svg-sanitize": "^0.22.0"
   }
 }

composer.lock

@@ -131,11 +131,33 @@ public function add_permission_policy() {
 		if ( headers_sent() ) {
 			return;
 		}
-		$policy = 'ch-viewport-width=(self "%1$s")';
+		$policy = $this->get_permissions_policy();
+		if ( empty( $policy ) ) {
+			return;
+		}
+		header( sprintf( 'Permissions-Policy: %s', $policy ), false );
+	}
+
+	/**
+	 * Build the Permissions-Policy header value based on active settings.
+	 *
+	 * @return string Comma-separated policy directives, or empty string when none apply.
+	 */
+	public function get_permissions_policy(): string {
+		$parts       = [];
+		$service_url = esc_url( Optml_Config::$service_url );
+
+		if ( $this->settings->is_scale_enabled() ) {
+			$parts[] = sprintf( 'ch-viewport-width=(self "%s")', $service_url );
+		}
 		if ( $this->settings->get( 'network_optimization' ) === 'enabled' ) {
-			$policy .= ', ch-ect=(self "%1$s")';
+			$parts[] = sprintf( 'ch-ect=(self "%s")', $service_url );
+		}
+		if ( $this->settings->get( 'retina_images' ) === 'enabled' ) {
+			$parts[] = sprintf( 'ch-dpr=(self "%s")', $service_url );
 		}
-		header( sprintf( 'Permissions-Policy: %s', sprintf( $policy, esc_url( Optml_Config::$service_url ) ) ), false );
+
+		return implode( ', ', $parts );
 	}
 	/**
 	 * Function that purges the image cache for a specific file.
@@ -1071,13 +1093,37 @@ public function generator() {
 			return;
 		}
 
-		$hints = 'Viewport-Width';
-		if ( $this->settings->get( 'network_optimization' ) === 'enabled' ) {
-			$hints .= ', ECT';
+		$hints = $this->get_accept_ch_hints();
+		if ( empty( $hints ) ) {
+			return;
 		}
 		echo sprintf( '<meta http-equiv="Accept-CH" content="%s" />', esc_attr( $hints ) );
 	}
 
+	/**
+	 * Build the Accept-CH meta content value based on active settings.
+	 *
+	 * Mirrors the directives used in get_permissions_policy() so both
+	 * the Permissions-Policy header and the Accept-CH meta stay in sync.
+	 *
+	 * @return string Comma-separated hint tokens, or empty string when none apply.
+	 */
+	public function get_accept_ch_hints(): string {
+		$hints = [];
+
+		if ( $this->settings->is_scale_enabled() ) {
+			$hints[] = 'Viewport-Width';
+		}
+		if ( $this->settings->get( 'network_optimization' ) === 'enabled' ) {
+			$hints[] = 'ECT';
+		}
+		if ( $this->settings->get( 'retina_images' ) === 'enabled' ) {
+			$hints[] = 'DPR';
+		}
+
+		return implode( ', ', $hints );
+	}
+
 	/**
 	 * Update daily the quota routine.
 	 */

inc/admin.php

@@ -59,7 +59,7 @@ class Optml_Settings {
 		'cdn'                        => 'disabled',
 		'admin_bar_item'             => 'enabled',
 		'lazyload'                   => 'disabled',
-		'scale'                      => 'disabled',
+		'scale'                      => 'disabled', // Due to legacy reasons the disabled state means that the scale is enabled and the enabled state means that the scale is disabled.
 		'network_optimization'       => 'enabled',
 		'lazyload_placeholder'       => 'enabled',
 		'bg_replacer'                => 'enabled',
@@ -662,6 +662,14 @@ public function is_smart_cropping() {
 	public function is_best_format() {
 		return $this->get( 'best_format' ) === 'enabled';
 	}
+	/**
+	 * Check if scale is enabled.
+	 *
+	 * @return bool Scale enabled
+	 */
+	public function is_scale_enabled() {
+		return $this->get( 'scale' ) === 'disabled'; // Due to legacy reasons the disabled state means that the scale is enabled and the enabled state means that the scale is disabled.
+	}
 
 	/**
 	 * Check if offload limit was reached.

inc/settings.php

@@ -504,7 +504,11 @@ public function add_missing_srcset_attributes( $tag, $missing_srcsets, $new_url,
 			$optimized_url = $this->change_url_for_size( $new_url, $width, $height, $dpr );
 
 			if ( $optimized_url ) {
-				$new_srcset_entries[] = $optimized_url . ' ' . $descriptor;
+				$escaped_url = esc_url( $optimized_url );
+				if ( empty( $escaped_url ) ) {
+					continue;
+				}
+				$new_srcset_entries[] = $escaped_url . ' ' . esc_attr( $descriptor );
 
 				// Add sizes attribute entry for responsive breakpoints
 				if ( $breakpoint > 0 ) {

inc/tag_replacer.php

@@ -311,6 +311,195 @@ public function test_get_bf_notices_banner_dismissal_values() {
 		}
 	}
 
+	// -------------------------------------------------------------------------
+	// get_permissions_policy() tests
+	// -------------------------------------------------------------------------
+
+	/**
+	 * Helper: set scale, network_optimization and retina_images settings, then
+	 * return a fresh Optml_Admin instance that reads those values.
+	 *
+	 * @param string $scale              'enabled' or 'disabled'.
+	 * @param string $network_opt        'enabled' or 'disabled'.
+	 * @param string $retina             'enabled' or 'disabled'.
+	 * @return Optml_Admin
+	 */
+	private function make_admin_with_policy_settings( string $scale, string $network_opt, string $retina ): Optml_Admin {
+		$settings = new Optml_Settings();
+		$settings->update( 'scale', $scale );
+		$settings->update( 'network_optimization', $network_opt );
+		$settings->update( 'retina_images', $retina );
+		Optml_Config::$service_url = 'https://test123.i.optimole.com';
+		return new Optml_Admin();
+	}
+
+	/**
+	 * All three settings off → empty string.
+	 */
+	public function test_permissions_policy_empty_when_all_off() {
+		$admin = $this->make_admin_with_policy_settings( 'enabled', 'disabled', 'disabled' );
+		$this->assertSame( '', $admin->get_permissions_policy() );
+	}
+
+	/**
+	 * Scale ON → ch-viewport-width present; ch-dpr and ch-ect absent.
+	 */
+	public function test_permissions_policy_ch_viewport_width_when_scale_on() {
+		$admin  = $this->make_admin_with_policy_settings( 'disabled', 'disabled', 'disabled' );
+		$policy = $admin->get_permissions_policy();
+		$this->assertStringContainsString( 'ch-viewport-width', $policy );
+		$this->assertStringNotContainsString( 'ch-dpr', $policy );
+		$this->assertStringNotContainsString( 'ch-ect', $policy );
+	}
+
+	/**
+	 * Scale OFF → ch-viewport-width absent.
+	 */
+	public function test_permissions_policy_no_ch_viewport_width_when_scale_off() {
+		$admin = $this->make_admin_with_policy_settings( 'enabled', 'disabled', 'disabled' );
+		$this->assertStringNotContainsString( 'ch-viewport-width', $admin->get_permissions_policy() );
+	}
+
+	/**
+	 * Retina ON → ch-dpr present; ch-viewport-width absent.
+	 */
+	public function test_permissions_policy_ch_dpr_when_retina_on() {
+		$admin  = $this->make_admin_with_policy_settings( 'enabled', 'disabled', 'enabled' );
+		$policy = $admin->get_permissions_policy();
+		$this->assertStringContainsString( 'ch-dpr', $policy );
+		$this->assertStringNotContainsString( 'ch-viewport-width', $policy );
+	}
+
+	/**
+	 * Retina OFF → ch-dpr absent.
+	 */
+	public function test_permissions_policy_no_ch_dpr_when_retina_off() {
+		$admin = $this->make_admin_with_policy_settings( 'enabled', 'disabled', 'disabled' );
+		$this->assertStringNotContainsString( 'ch-dpr', $admin->get_permissions_policy() );
+	}
+
+	/**
+	 * Network optimization ON → ch-ect present.
+	 */
+	public function test_permissions_policy_ch_ect_when_network_optimization_on() {
+		$admin  = $this->make_admin_with_policy_settings( 'enabled', 'enabled', 'disabled' );
+		$policy = $admin->get_permissions_policy();
+		$this->assertStringContainsString( 'ch-ect', $policy );
+	}
+
+	/**
+	 * All three ON → all three directives present in a single string.
+	 */
+	public function test_permissions_policy_all_features_on() {
+		$admin  = $this->make_admin_with_policy_settings( 'disabled', 'enabled', 'enabled' );
+		$policy = $admin->get_permissions_policy();
+		$this->assertStringContainsString( 'ch-viewport-width', $policy );
+		$this->assertStringContainsString( 'ch-ect', $policy );
+		$this->assertStringContainsString( 'ch-dpr', $policy );
+	}
+
+	/**
+	 * Service URL is embedded in the policy when any feature is ON.
+	 */
+	public function test_permissions_policy_service_url_embedded() {
+		$admin  = $this->make_admin_with_policy_settings( 'disabled', 'disabled', 'disabled' );
+		$policy = $admin->get_permissions_policy();
+		$this->assertStringContainsString( 'test123.i.optimole.com', $policy );
+	}
+
+	// -------------------------------------------------------------------------
+	// get_accept_ch_hints() tests
+	// -------------------------------------------------------------------------
+
+	/**
+	 * All three settings off → empty string.
+	 * Note: for the scale setting, 'enabled' = scale IS off (legacy inversion).
+	 */
+	public function test_accept_ch_hints_empty_when_all_off() {
+		$admin = $this->make_admin_with_policy_settings( 'enabled', 'disabled', 'disabled' );
+		$this->assertSame( '', $admin->get_accept_ch_hints() );
+	}
+
+	/**
+	 * Scale ON → Viewport-Width present; DPR and ECT absent.
+	 * Note: 'disabled' raw value = scale IS on (legacy inversion).
+	 */
+	public function test_accept_ch_hints_viewport_width_when_scale_on() {
+		$admin = $this->make_admin_with_policy_settings( 'disabled', 'disabled', 'disabled' );
+		$hints = $admin->get_accept_ch_hints();
+		$this->assertStringContainsString( 'Viewport-Width', $hints );
+		$this->assertStringNotContainsString( 'DPR', $hints );
+		$this->assertStringNotContainsString( 'ECT', $hints );
+	}
+
+	/**
+	 * Scale OFF → Viewport-Width absent.
+	 * Note: 'enabled' raw value = scale IS off (legacy inversion).
+	 */
+	public function test_accept_ch_hints_no_viewport_width_when_scale_off() {
+		$admin = $this->make_admin_with_policy_settings( 'enabled', 'disabled', 'disabled' );
+		$this->assertStringNotContainsString( 'Viewport-Width', $admin->get_accept_ch_hints() );
+	}
+
+	/**
+	 * Retina ON → DPR present; Viewport-Width absent (scale kept off).
+	 */
+	public function test_accept_ch_hints_dpr_when_retina_on() {
+		$admin = $this->make_admin_with_policy_settings( 'enabled', 'disabled', 'enabled' );
+		$hints = $admin->get_accept_ch_hints();
+		$this->assertStringContainsString( 'DPR', $hints );
+		$this->assertStringNotContainsString( 'Viewport-Width', $hints );
+	}
+
+	/**
+	 * Retina OFF → DPR absent.
+	 */
+	public function test_accept_ch_hints_no_dpr_when_retina_off() {
+		$admin = $this->make_admin_with_policy_settings( 'enabled', 'disabled', 'disabled' );
+		$this->assertStringNotContainsString( 'DPR', $admin->get_accept_ch_hints() );
+	}
+
+	/**
+	 * Network optimization ON → ECT present.
+	 */
+	public function test_accept_ch_hints_ect_when_network_optimization_on() {
+		$admin = $this->make_admin_with_policy_settings( 'enabled', 'enabled', 'disabled' );
+		$this->assertStringContainsString( 'ECT', $admin->get_accept_ch_hints() );
+	}
+
+	/**
+	 * All three ON → all three tokens present.
+	 * Note: 'disabled' raw value = scale IS on (legacy inversion).
+	 */
+	public function test_accept_ch_hints_all_features_on() {
+		$admin = $this->make_admin_with_policy_settings( 'disabled', 'enabled', 'enabled' );
+		$hints = $admin->get_accept_ch_hints();
+		$this->assertStringContainsString( 'Viewport-Width', $hints );
+		$this->assertStringContainsString( 'ECT', $hints );
+		$this->assertStringContainsString( 'DPR', $hints );
+	}
+
+	/**
+	 * Hints and policy directives stay in sync: each setting contributes
+	 * to both get_accept_ch_hints() and get_permissions_policy().
+	 * Note: scale uses legacy inversion — 'disabled' raw = scale ON.
+	 */
+	public function test_accept_ch_and_policy_are_in_sync() {
+		foreach ( [ 'scale', 'network_optimization', 'retina_images' ] as $setting ) {
+			// Legacy: 'disabled' = scale ON, 'enabled' = scale OFF.
+			$scale   = $setting === 'scale' ? 'disabled' : 'enabled';
+			$net_opt = $setting === 'network_optimization' ? 'enabled' : 'disabled';
+			$retina  = $setting === 'retina_images' ? 'enabled' : 'disabled';
+
+			$admin  = $this->make_admin_with_policy_settings( $scale, $net_opt, $retina );
+			$hints  = $admin->get_accept_ch_hints();
+			$policy = $admin->get_permissions_policy();
+
+			$this->assertNotEmpty( $hints, "Expected non-empty hints for setting: $setting" );
+			$this->assertNotEmpty( $policy, "Expected non-empty policy for setting: $setting" );
+		}
+	}
+
 	/**
 	 * Test get_bf_notices at exact boundary conditions.
 	 */