[puschie]

Hey, i was trying to use the Content Security Policy feature but i always get the (console) error that your settings has blocked a resource on self

i tied different settings with absolute path and wildcard use ( localhost/[...]/css/* ) and the default self but everything gives the same result.

can someone show me how correct settings should looks like ?

( i also use {csp-script-nonce} in inline blocks but also this result in "Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ([...]), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback" )

Thx

[kilishan]

Hmm. It's been a while since I wrote that code, or read those specs. I just tried a quick example and found at least one problem. Will try to dig into the whole thing tonight and post a simple example, fix bugs, etc.

[kilishan]

Took me a little longer than expected, but I think I've squashed the bugs with CSP. Pull down the latest source and it should be working for you. Here's a quick example to get you started:

First off - turn CSP on in Config/App.php

Code:

public $CSPEnabled = true;

Now refresh your page and you'll see lots of errors in your browser's console. If you have the debug toolbar on - you'll see even more. Please note that the toolbar is not compatible with CSP and should be turned off when you're tuning your CSP rules.

Assuming you have a simple little HTML page like this (which you wouldn't but we have to start somewhere):

Code:

<!doctype html>
<html>
<head>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
</head>
<body>
<style {csp-style-nonce}>
body { background: #efefef; }
</style>

</body>
</html>

You would need to add the following in your base controller, or wherever you want, to get things passing the CSP restrictions:

Code:

$this->response->CSP->setDefaultSrc('self');
$this->response->CSP->addStyleSrc('https://maxcdn.bootstrapcdn.com');
$this->response->CSP->addFontSrc('https://maxcdn.bootstrapcdn.com');

setDefaultSrc isn't really required for this, but will make things a little simpler for you in most cases.

addStyleSrc is required to allow the external Bootstrap stylesheet.
addFontSrc is required to allow Bootstrap to load its fonts.

Because the {csp-style-nonce} tag is in the style tag, a nonce will be automatically created for you and inserted into the header. With these rules, you'll end up with a generated header like:

Code:

Content-Security-Policy:connect-src 'self'; default-src 'self'; font-src https://maxcdn.bootstrapcdn.com; img-src 'self'; script-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com 'nonce-1cb22ae4b1a5c58a66415811';

Hope that helps!

Be sure to read the articles linked in the docs for more information. It can get a bit complex.

[puschie]

Great work
so i dont have to worry about the errors ( shown in console ) ?
still have problems to use local fonts - i guess its an understanding problem on my side^^ ( they are successfully loaded but not used by the css rules in html )

[kilishan]

The errors that show in the console could be from the debug toolbar, or could be from your own code. They are valid errors. However, the only way to know is to turn the toolbar off, and then scan your site looking for errors. Or create a controller to receive and log debug info from the CSP function itself, using the reportOnly and setReportURI settings.

Fonts require the fontSrc setting to be set to where you expect fonts to come from. But, yes, it's a fairly complex topic that I can't begin to answer all of the questions for

[frankenestain]

There's no app.php in config !