Welcome Guest, Not a member yet? Register   Sign In
how to configure CSP correctly
#3

Took me a little longer than expected, but I think I've squashed the bugs with CSP. Pull down the latest source and it should be working for you. Here's a quick example to get you started:

First off - turn CSP on in Config/App.php

Code:
public $CSPEnabled = true;

Now refresh your page and you'll see lots of errors in your browser's console. If you have the debug toolbar on - you'll see even more. Please note that the toolbar is not compatible with CSP and should be turned off when you're tuning your CSP rules.

Assuming you have a simple little HTML page like this (which you wouldn't but we have to start somewhere):

Code:
<!doctype html>
<html>
<head>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
</head>
<body>
<style {csp-style-nonce}>
body { background: #efefef; }
</style>

</body>
</html>


You would need to add the following in your base controller, or wherever you want, to get things passing the CSP restrictions:

Code:
$this->response->CSP->setDefaultSrc('self');
$this->response->CSP->addStyleSrc('https://maxcdn.bootstrapcdn.com');
$this->response->CSP->addFontSrc('https://maxcdn.bootstrapcdn.com');

setDefaultSrc isn't really required for this, but will make things a little simpler for you in most cases.

addStyleSrc is required to allow the external Bootstrap stylesheet.
addFontSrc is required to allow Bootstrap to load its fonts.

Because the {csp-style-nonce} tag is in the style tag, a nonce will be automatically created for you and inserted into the header. With these rules, you'll end up with a generated header like:

Code:
Content-Security-Policy:connect-src 'self'; default-src 'self'; font-src https://maxcdn.bootstrapcdn.com; img-src 'self'; script-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com 'nonce-1cb22ae4b1a5c58a66415811';

Hope that helps!

Be sure to read the articles linked in the docs for more information. It can get a bit complex.
Reply


Messages In This Thread
how to configure CSP correctly - by puschie - 07-06-2017, 01:55 AM
RE: how to configure CSP correctly - by kilishan - 07-06-2017, 10:36 AM
RE: how to configure CSP correctly - by kilishan - 07-07-2017, 10:12 PM
RE: how to configure CSP correctly - by puschie - 07-09-2017, 11:58 PM
RE: how to configure CSP correctly - by kilishan - 07-10-2017, 06:17 AM
RE: how to configure CSP correctly - by ttwist - 11-25-2019, 11:17 PM
RE: how to configure CSP correctly - by egranty - 11-23-2020, 09:29 AM
RE: how to configure CSP correctly - by z72diego - 04-17-2024, 03:03 AM



Theme © iAndrew 2016 - Forum software by © MyBB