Skip to content

Allow custom csp header #5477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
TheSyscall wants to merge 83 commits into
base: main
Choose a base branch
from
Open

Allow custom csp header #5477

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
83 commits
Select commit Hold shift + click to select a range
f1b0702
Allow modules to adjust the CSP headers through a dedicated hook.
w1ll-i-code May 15, 2025
ac28021
Add additional validation for the url before using it in the frame-sr…
w1ll-i-code May 19, 2025
9ae6675
Allow editing of the CSP trusted image sources
TheSyscall Mar 12, 2026
29a4c63
Refactor CSP validation logic and improve access control for shared n…
zenosaaur Aug 25, 2025
eb2d42f
Refactor CSP handling to improve user checks
zenosaaur Sep 2, 2025
9a22254
Add a table which displays where a CSP directive comes from
TheSyscall Mar 11, 2026
21893eb
Move CSP table into its own Widget
TheSyscall Mar 11, 2026
ba93f40
Integrate the custom CSP setting
TheSyscall Mar 11, 2026
c0ed797
Use new hook style
TheSyscall Mar 12, 2026
53a2097
Custom CSP should completely override the automatically generated one
TheSyscall Mar 12, 2026
6a0e7d8
Allow configuration of the custom CSP-Header
TheSyscall Mar 12, 2026
332cbea
Move the check to send the CSP header into the Csp::isCspEnabled method
TheSyscall Mar 12, 2026
4586f2f
Fix a bug that caused the custom CSP textarea to be empty
TheSyscall Mar 12, 2026
f692db5
Allow for the usage of {style_nonce} in the custom CSP-Header setting
TheSyscall Mar 12, 2026
9569d07
Allow newlines in custom CSP
TheSyscall Mar 12, 2026
ccd79d8
Fix a bug that caused the custom_csp value to not be saved
TheSyscall Mar 12, 2026
e8e40eb
Add dynamic descryption for the custom CSP textarea
TheSyscall Mar 12, 2026
473baac
Fix code formating
TheSyscall Mar 12, 2026
2cf104b
fixup! Fix code formating
TheSyscall Mar 12, 2026
00cd765
Use generator to iterate the navigation items
TheSyscall Mar 12, 2026
452ee7a
fixup! hasAccessToSharedNavigationItem doesn't need to be public
TheSyscall Mar 12, 2026
bda449a
Add info for navigation items
TheSyscall Mar 12, 2026
56e34ed
Create style nonce before trying to display the automatic csp
TheSyscall Mar 13, 2026
9831e64
Add GPLv2+ license headers
TheSyscall Mar 13, 2026
4c51288
Use a callout to display a warning message that is more obvious
TheSyscall Mar 13, 2026
e5d9443
Simplify the way CSP items are collected for dashlets
TheSyscall Mar 13, 2026
aa419a0
Use generators instead of iterating over arrays multiple times
TheSyscall Mar 13, 2026
d63ab85
fixup! Code style
TheSyscall Mar 13, 2026
2b2c20f
Write documentation & rename Items to Origins
TheSyscall Mar 13, 2026
e702437
Remove passive agressive note to admins
TheSyscall Mar 13, 2026
f48be73
Display module name instead of hook class
TheSyscall Mar 13, 2026
8578118
Apply code review changes
TheSyscall Mar 16, 2026
3b41810
Hide unused form elements and table if CSP is disabled
TheSyscall Mar 16, 2026
40a5a44
Automatically reload the window on form success if CSP is active
TheSyscall Mar 16, 2026
9a78158
Change URLs in method documentation CspDirectiveHook::getCspDirectives()
TheSyscall Mar 16, 2026
4d41fd2
Use getValue instead of getPopulatedValue
TheSyscall Mar 16, 2026
2856c7e
Handle update to new value gracefully
TheSyscall Mar 16, 2026
152ebb3
Use a hidden element with the same name to store the custom value
TheSyscall Mar 16, 2026
8c2e86d
Remove superfluous mentions of CSP inside the Csp class
TheSyscall Mar 16, 2026
9663669
Use constructor promotion
TheSyscall Mar 16, 2026
a00a051
Remove duplicate default-src directive
TheSyscall Mar 17, 2026
9dc386f
Store populated values in hidden form elements
TheSyscall Mar 17, 2026
8f2f830
Only store and reload page if necessary
TheSyscall Mar 17, 2026
ca0f3e9
Navigation items that have children can also link to something
TheSyscall Mar 17, 2026
f39dd90
Include the port in the navigation URL
TheSyscall Mar 17, 2026
1b861c9
Navigation items on the top level should not have themselves as a parent
TheSyscall Mar 17, 2026
7989c69
Use 0/1 instead of n/y for config values
TheSyscall Mar 17, 2026
2e05f49
Removed unnecessary call to getUsername
TheSyscall Mar 17, 2026
864f801
Use generator to return the collection of CSP-Directives
TheSyscall Mar 17, 2026
1865150
Split CSP-Table into multiple with apropriate headers.
TheSyscall Mar 18, 2026
67f1493
Hide tables with no content
TheSyscall Mar 18, 2026
7160113
Use Link widget
TheSyscall Mar 18, 2026
02c4a5c
Move table into form
TheSyscall Mar 18, 2026
a11847d
fixup! Move CSP table into its own Widget
TheSyscall Mar 18, 2026
c615368
Change naming of button to "Send CSP-Header"
TheSyscall Mar 18, 2026
7720360
Support custom CSP with empty value
TheSyscall Mar 19, 2026
8a82898
Color the "data:" schema based on the directive
TheSyscall Mar 19, 2026
60a4ffe
Code style & Move arrays to class constants
TheSyscall Mar 19, 2026
6e84ac5
Code review changes
TheSyscall Mar 20, 2026
f2ee388
Add a toggle to enable user content
TheSyscall Mar 20, 2026
97377a2
Move CSP-Form into a newly created Security tab.
TheSyscall Mar 20, 2026
1a60be2
Code review suggestions
TheSyscall Mar 20, 2026
1526729
Use new Csp class in ipl-web
TheSyscall Mar 20, 2026
100dcfe
Prefixed CSS-classes with `csp-`
TheSyscall Mar 23, 2026
9aeb8a8
Code style changes
TheSyscall Mar 23, 2026
e99fa2b
Rework Csp to no longer rely on a private instance just to store the …
TheSyscall Mar 23, 2026
650f932
Add form validation
TheSyscall Mar 23, 2026
9853a5b
Merge CspConfigurationTable with form
TheSyscall Mar 24, 2026
9a0211e
fixup! Store `custom_csp`
TheSyscall Mar 24, 2026
036fdd1
fixup! Remove large margin-bottom from table
TheSyscall Mar 24, 2026
b9da9f0
Default use_custom_csp to 0
TheSyscall Mar 25, 2026
440e8ec
Store security seection in config even if the section didn't exist be…
TheSyscall Mar 25, 2026
4b06ab8
Log errors during Csp loading
TheSyscall Mar 25, 2026
a204e9b
Return Csp instances instead of raw arrays
TheSyscall Mar 25, 2026
9401454
Change Hook name to CspPolicyProvider
TheSyscall Mar 25, 2026
d34cf59
Make tables collapsible
TheSyscall Mar 25, 2026
7ba3020
Split title from table
TheSyscall Apr 1, 2026
55334f2
Code review changes
TheSyscall Apr 1, 2026
65a8a19
Indent polices if an icon exists in the table
TheSyscall Apr 1, 2026
a3525b0
Return an empty array instead of throwing an error
TheSyscall Apr 1, 2026
7e2f24c
Change license and use SPDX-Header
TheSyscall Apr 1, 2026
a7a64d6
Display the label of the navigation type instead of its internal type
TheSyscall Apr 2, 2026
bfec859
Write documentation
TheSyscall Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 49 additions & 12 deletions application/controllers/ConfigController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@
namespace Icinga\Controllers;

use Exception;
use GuzzleHttp\Psr7\ServerRequest;
use Icinga\Application\Version;
use Icinga\Util\Csp;
use InvalidArgumentException;
use Icinga\Application\Config;
use Icinga\Application\Icinga;
Expand All @@ -17,6 +19,7 @@
use Icinga\Forms\ActionForm;
use Icinga\Forms\Config\GeneralConfigForm;
use Icinga\Forms\Config\ResourceConfigForm;
use Icinga\Forms\Config\Security\CspConfigForm;
use Icinga\Forms\Config\UserBackendConfigForm;
use Icinga\Forms\Config\UserBackendReorderForm;
use Icinga\Forms\ConfirmRemovalForm;
Expand All @@ -25,6 +28,7 @@
use Icinga\Web\Notification;
use Icinga\Web\Url;
use Icinga\Web\Widget;
use ipl\Html\Contract\Form as ContractForm;

/**
* Application and module configuration
Expand All @@ -45,6 +49,14 @@ public function createApplicationTabs()
'baseTarget' => '_main'
));
}
if ($this->hasPermission('config/security')) {
$tabs->add('security', array(
'title' => $this->translate('Adjust the security configuration of Icinga Web 2'),
'label' => $this->translate('Security'),
'url' => 'config/security',
'baseTarget' => '_main'
));
}
if ($this->hasPermission('config/resources')) {
$tabs->add('resource', array(
'title' => $this->translate('Configure which resources are being utilized by Icinga Web 2'),
Expand Down Expand Up @@ -96,24 +108,49 @@ public function indexAction()
public function generalAction()
{
$this->assertPermission('config/general');

$this->view->title = $this->translate('General');

$form = new GeneralConfigForm();
$form->setIniConfig(Config::app());
$form->setOnSuccess(function (GeneralConfigForm $form) {
$config = Config::app();
$useStrictCsp = (bool) $config->get('security', 'use_strict_csp', false);
if ($form->onSuccess() === false) {
return false;
}
$form->handleRequest();

$this->view->form = $form;

$appConfigForm = $form->getSubForm('form_config_general_application');
if ($appConfigForm && (bool) $appConfigForm->getValue('security_use_strict_csp') !== $useStrictCsp) {
$this->createApplicationTabs()->activate('general');
}

/**
* Security configuration
*
* @throws SecurityException If the user lacks the permission for configuring the security configuration
*/
public function securityAction(): void
{
$this->assertPermission('config/security');

$this->view->title = $this->translate('Security');

$config = Config::app();
$cspForm = new CspConfigForm($config);
$cspForm->populate([
'use_strict_csp' => Csp::isEnabled(),
'use_custom_csp' => $config->get('security', 'use_custom_csp', '0'),
'custom_csp' => $config->get('security', 'custom_csp', ''),
'csp_enable_modules' => $config->get('security', 'csp_enable_modules', '1'),
'csp_enable_dashboards' => $config->get('security', 'csp_enable_dashboards', '1'),
'csp_enable_navigation' => $config->get('security', 'csp_enable_navigation', '1'),
]);

$cspForm->on(ContractForm::ON_SUBMIT, function (CspConfigForm $form) use ($config) {
if ($form->hasConfigChanged()) {
$this->getResponse()->setReloadWindow(true);
}
})->handleRequest();
});
$cspForm->handleRequest(ServerRequest::fromGlobals());
$this->view->cspForm = $cspForm;

$this->view->form = $form;
$this->view->title = $this->translate('General');
$this->createApplicationTabs()->activate('general');
$this->createApplicationTabs()->activate('security');
}

/**
Expand Down
12 changes: 0 additions & 12 deletions application/forms/Config/General/ApplicationConfigForm.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,18 +57,6 @@ public function createElements(array $formData)
)
);

$this->addElement(
'checkbox',
'security_use_strict_csp',
[
'label' => $this->translate('Enable strict content security policy'),
'description' => $this->translate(
'Set whether to use strict content security policy (CSP).'
. ' This setting helps to protect from cross-site scripting (XSS).'
)
]
);

$this->addElement(
'text',
'global_module_path',
Expand Down
Loading
Loading