Skip to content

Implement Csp#361

Open
TheSyscall wants to merge 23 commits intomainfrom
cps
Open

Implement Csp#361
TheSyscall wants to merge 23 commits intomainfrom
cps

Conversation

@TheSyscall
Copy link
Copy Markdown

@TheSyscall TheSyscall commented Mar 23, 2026
edited
Loading

Add a Csp class which represents the Content-Security-Policy header.

This new class can be used to manage the content security policy.
This class enforces default-src 'self' as a baseline for a secure web application.
The first nonce added to any directive is selected as THE nonce for the CSP.
Setting a nonce is not supported since a nonce could appear in any number of different directives.

@cla-bot cla-bot Bot added the cla/signed label Mar 23, 2026
@TheSyscall TheSyscall self-assigned this Mar 23, 2026
@TheSyscall TheSyscall mentioned this pull request Mar 23, 2026
Open
Al2Klimov
Al2Klimov reviewed Mar 24, 2026
View reviewed changes
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
@TheSyscall TheSyscall requested a review from Al2Klimov March 24, 2026 12:34
Al2Klimov

This comment was marked as resolved.

Sign in to view

@TheSyscall TheSyscall requested a review from Al2Klimov March 25, 2026 11:43
Al2Klimov
Al2Klimov previously approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Al2Klimov Al2Klimov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested together with Icinga/icingaweb2#5477 (review).

TheSyscall added 14 commits April 7, 2026 10:21
@TheSyscall
Implement Csp
72bbd6f
@TheSyscall
Allow newlines in Csp::fromString
80c996d 
This is not allowed in the specification but it allows for more
organized configuration files.
@TheSyscall
Review suggestions
1ae4773 
- Only add ploicy if we need to
- Use `/` instead of `|` as regex delimiter
- Return array instead of Generator
@TheSyscall
Specify array type
cee77a5
@TheSyscall
Add isEmpty method that checks if the array of directives is empty
d18f301
@TheSyscall
Add tests
53ec3d6
@TheSyscall
Use constation for default-src policies
9b843a4
@TheSyscall
Add policy validation and url evaluation
ac95455
@TheSyscall
Remove unnecessary space check
9f4dd3a 
policies can never have a space since policies itself are space
delimited.
@TheSyscall
Add more tests
c8934de
@TheSyscall
Code style changes
0fd66a2
@TheSyscall
Change dataprovider to use attribute
1224df7
@TheSyscall
fixup! make data provider static
e9da226
@TheSyscall
fixup! phpstan changes
2ae7a62
@TheSyscall TheSyscall requested a review from Al2Klimov April 7, 2026 12:52
Al2Klimov
Al2Klimov reviewed Apr 8, 2026
View reviewed changes
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
@TheSyscall TheSyscall requested a review from Al2Klimov April 15, 2026 07:07
@Al2Klimov Al2Klimov removed their request for review April 16, 2026 10:47
@TheSyscall TheSyscall requested a review from Al2Klimov April 16, 2026 12:08
Al2Klimov

This comment was marked as resolved.

Sign in to view

TheSyscall and others added 3 commits April 17, 2026 09:02
@TheSyscall @Al2Klimov
Apply suggestions from code review
e1d2234 
Co-authored-by: Alexander Aleksandrovič Klimov <al2klimov@gmail.com>
@TheSyscall
Replace isset with ??=
0f22bff
@TheSyscall
Remove extra '' check
60480a8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Al2Klimov Al2Klimov Al2Klimov left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@TheSyscall TheSyscall

Labels

cla/signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TheSyscall @Al2Klimov