Skip to content

Allow custom csp header#5477

Open
TheSyscall wants to merge 83 commits intomainfrom
allow-custom-csp-header-5333
Open

Allow custom csp header#5477
TheSyscall wants to merge 83 commits intomainfrom
allow-custom-csp-header-5333

Conversation

@TheSyscall
Copy link
Copy Markdown

@TheSyscall TheSyscall commented Mar 12, 2026
edited
Loading

Taking over #5337 (#5337 (comment)) and implementing an override for a completely custom CSP-Header.

As well as adding a table below the form which displays the source of the automatically generated CSP-Header.

Styling for this table is still WIP.

requires Icinga/ipl-web#358
requires Icinga/ipl-web#361

closes #5337
closes #5333

@TheSyscall TheSyscall requested a review from nilmerg March 12, 2026 13:02
@TheSyscall TheSyscall self-assigned this Mar 12, 2026
@cla-bot

This comment was marked as duplicate.

Sign in to view
@TheSyscall TheSyscall requested a review from Al2Klimov March 12, 2026 13:03
@cla-bot

This comment was marked as duplicate.

Sign in to view
1 similar comment
@cla-bot

This comment was marked as duplicate.

Sign in to view
@TheSyscall TheSyscall mentioned this pull request Mar 12, 2026
Open
@Al2Klimov Al2Klimov mentioned this pull request Mar 12, 2026
Open
@cla-bot

This comment was marked as resolved.

Sign in to view
Al2Klimov

This comment was marked as resolved.

Sign in to view

@bobapple
Copy link
Copy Markdown
Member

bobapple commented Mar 13, 2026

@cla-bot check

@cla-bot cla-bot bot added the cla/signed label Mar 13, 2026
@TheSyscall TheSyscall force-pushed the allow-custom-csp-header-5333 branch from 735beb2 to cdef4c4 Compare March 13, 2026 13:18
@TheSyscall

This comment was marked as resolved.

Sign in to view
@TheSyscall TheSyscall requested a review from Al2Klimov March 13, 2026 13:25
@Al2Klimov Al2Klimov removed the request for review from nilmerg March 13, 2026 14:44
Al2Klimov
Al2Klimov requested changes Mar 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Al2Klimov Al2Klimov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

13 review comments should be enough for a Friday 13th. :D

application/forms/Config/General/CspConfigForm.php Outdated
$useCustomCsp = $this->getPopulatedValue('use_custom_csp', 'n') === 'y';
if ($useCustomCsp) {
$this->addHtml((new Callout(
CalloutType::Warning,
Copy link
Copy Markdown
Member

@Al2Klimov Al2Klimov Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Author

@TheSyscall TheSyscall Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Already listed as a requirement

TheSyscall
TheSyscall commented Mar 16, 2026
View reviewed changes
application/forms/Config/Security/CspConfigForm.php
use ipl\Web\Compat\CompatForm;
use ipl\Web\Widget\Callout;

class CspConfigForm extends CompatForm
Copy link
Copy Markdown
Author

@TheSyscall TheSyscall Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This currently doesn't output the config.ini to the screen like the old ConfigForm did.
I think changing the form type to a CompatForm is still the right call, because we don't want to rely on Zend_Forms forever.
If this behavior essential, we should reimplement the behavior of ConfigFrom as a CompatForm instead.

Copy link
Copy Markdown
Member

@Al2Klimov Al2Klimov Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even in new modules we reimplemented this behavior: Icinga/icingadb-web#1269

So I'd not downgrade this functionality.

Copy link
Copy Markdown
Author

@TheSyscall TheSyscall Mar 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR for this is open at #5480

@TheSyscall TheSyscall requested a review from Al2Klimov March 16, 2026 11:59
Al2Klimov

This comment was marked as resolved.

Sign in to view

Al2Klimov
Al2Klimov reviewed Mar 18, 2026
View reviewed changes
@TheSyscall TheSyscall requested a review from Al2Klimov March 19, 2026 08:58
Al2Klimov
Al2Klimov requested changes Mar 19, 2026
View reviewed changes
library/Icinga/Web/Widget/CspConfigurationTable.php Outdated
);

$this->addPolicyTable(
t('Dashboard'),
Copy link
Copy Markdown
Member

@Al2Klimov Al2Klimov Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you're concerned about #5477 (comment), you should be about this one too:

As not a IW2 dev, I'd have absolutely no clue that these are only my dashboards (if any!) and others may have their own.

Consider listing the dashboard-CSPs of all users, after all we have them (by name) in the preference store or something idk.

Module-provided dashboards should already be included as you should see all modules as admin. I guess they may contain external URLs as well.

Copy link
Copy Markdown
Author

@TheSyscall TheSyscall Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if we always have access to all users in something like LDAP.
Also listing all dashboards and menu entries for all users in an organization on every initial request seems pretty expensive.

If a module wants something whitelisted beyond what is automatically detected, it can already do that.

Copy link
Copy Markdown
Member

@Al2Klimov Al2Klimov Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We always have access to all users' dashboards and menu entries.

Imagine you make a custom CSP based on the generated one, but latter misses non-your dashboards.

@Al2Klimov Al2Klimov mentioned this pull request Mar 20, 2026
Open
@TheSyscall TheSyscall force-pushed the allow-custom-csp-header-5333 branch from f9f19b4 to 3a4e7ac Compare March 23, 2026 10:21
@flourish86
Copy link
Copy Markdown
Contributor

flourish86 commented Mar 23, 2026
edited
Loading

So, here would be my recommendation as discussed.

The simplified version

Step 1

Strict CSP ist disabled
Frame 13

Step 2

Enable CSP to see a table of generated CSP dependending on system and module usage.
Frame 11

Step 3

Toggle Custom CSP. This disables the generated CSP
Frame 12

Improvements

  • Proper hierarchy for the csp elements
  • Make obvious, what is enabled and disabled with "opacity"
  • Keep the table visible for reference, even when custom csp overrides the generated table
  • Add heltexts to clarify how it works

Additionally

  • Not in the mockups: Add toggles for Dashboard and Navigation section

@flourish86
Copy link
Copy Markdown
Contributor

flourish86 commented Mar 23, 2026

Advanced version of the editor

Rows can be toggled separately.

Frame 10

Disabled rows will fade out

Frame 14

Custom CSP sources can be added additionally

Frame 15

Generated CSP can be disabled completely

Only Custom CSP Rules will be used

Frame 16

@TheSyscall TheSyscall requested a review from Al2Klimov March 24, 2026 10:59
@lippserd lippserd added this to the 2.13 milestone Mar 24, 2026
@Al2Klimov Al2Klimov mentioned this pull request Mar 24, 2026
Open
TheSyscall added 29 commits April 2, 2026 10:10
@TheSyscall
Change naming of button to "Send CSP-Header"
c615368
@TheSyscall
Support custom CSP with empty value
7720360
@TheSyscall
Color the "data:" schema based on the directive
8a82898
@TheSyscall
Code style & Move arrays to class constants
60a4ffe
@TheSyscall
Code review changes
6e84ac5 
- Reload of form change if Csp was previously enabled in
`ConfigController`
- Use default attributes in `CspConfigurationTable`
- Rename `$policyDirectives` to `$directivePolicies` in `Csp`
@TheSyscall
Add a toggle to enable user content
f2ee388
@TheSyscall
Move CSP-Form into a newly created Security tab.
97377a2 
This tab requires the new config/security permission
@TheSyscall
Code review suggestions
1a60be2
@TheSyscall
Use new Csp class in ipl-web
1526729
@TheSyscall
Prefixed CSS-classes with csp-
100dcfe
@TheSyscall
Code style changes
9aeb8a8
@TheSyscall
Rework Csp to no longer rely on a private instance just to store the …
e99fa2b 
…nonce
@TheSyscall
Add form validation
650f932
@TheSyscall
Merge CspConfigurationTable with form
9853a5b 
This allows for checkboxes integrated inside the table.
This commit also adds disabling modules, dashboards and navigation items
individualy.
@TheSyscall
fixup! Store custom_csp
9a0211e
@TheSyscall
fixup! Remove large margin-bottom from table
036fdd1
@TheSyscall
Default use_custom_csp to 0
b9da9f0
@TheSyscall
Store security seection in config even if the section didn't exist be…
440e8ec 
…fore
@TheSyscall
Log errors during Csp loading
4b06ab8
@TheSyscall
Return Csp instances instead of raw arrays
a204e9b
@TheSyscall
Change Hook name to CspPolicyProvider
9401454
@TheSyscall
Make tables collapsible
d34cf59
@TheSyscall
Split title from table
7ba3020
@TheSyscall
Code review changes
55334f2
@TheSyscall
Indent polices if an icon exists in the table
65a8a19
@TheSyscall
Return an empty array instead of throwing an error
a3525b0
@TheSyscall
Change license and use SPDX-Header
7e2f24c
@TheSyscall
Display the label of the navigation type instead of its internal type
a7a64d6
@TheSyscall
Write documentation
bfec859
@TheSyscall TheSyscall force-pushed the allow-custom-csp-header-5333 branch from 3a24ab1 to bfec859 Compare April 2, 2026 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Al2Klimov Al2Klimov Al2Klimov requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@TheSyscall TheSyscall

Labels

cla/signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow customization of the CSP

7 participants

@TheSyscall @bobapple @flourish86 @Al2Klimov @lippserd @w1ll-i-code @zenosaaur