Allow to use custom request matcher

This adds an option to allow the use of a custom
request matcher, e.g. to exclude certain paths.

CHANGELOG.md

@@ -1,3 +1,6 @@
+### 2.11.x (2021-xx-xx)
+  * Added `csp > request_matcher` option to allow the use of a custom request matcher (`Symfony\Component\HttpFoundation\RequestMatcherInterface`)
+
 ### 2.10.1 (2020-06-18)
   * Fix ContentSecurityPolicyController
 

DependencyInjection/Configuration.php

@@ -201,6 +201,7 @@ private function addCspNode()
             ->canBeDisabled()
             // CSP is enabled by default to ensure BC
             ->children()
+                ->scalarNode('request_matcher')->defaultNull()->end()
                 ->arrayNode('hosts')->prototype('scalar')->end()->defaultValue(array())->end()
                 ->arrayNode('content_types')->prototype('scalar')->end()->defaultValue(array())->end()
                 ->arrayNode('report_endpoint')

DependencyInjection/NelmioSecurityExtension.php

@@ -71,6 +71,10 @@ public function load(array $configs, ContainerBuilder $container)
             $cspListenerDefinition->setArguments(array($reportDefinition, $enforceDefinition, new Reference('nelmio_security.nonce_generator'), new Reference('nelmio_security.sha_computer'), (bool) $cspConfig['compat_headers'], $cspConfig['hosts'], $cspConfig['content_types']));
             $container->setParameter('nelmio_security.csp.hash_algorithm', $cspConfig['hash']['algorithm']);
 
+            if (isset($cspConfig['request_matcher'])) {
+                $cspListenerDefinition->setArgument(7, new Reference($cspConfig['request_matcher']));
+            }
+
             $cspViolationLogFilterDefinition = $container->getDefinition('nelmio_security.csp_report.filter');
 
             $container->setParameter('nelmio_security.csp.report_log_level', $cspConfig['report_endpoint']['log_level']);

EventListener/ContentSecurityPolicyListener.php

@@ -14,6 +14,7 @@
 use Nelmio\SecurityBundle\ContentSecurityPolicy\NonceGenerator;
 use Nelmio\SecurityBundle\ContentSecurityPolicy\ShaComputer;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestMatcherInterface;
 use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
@@ -37,8 +38,9 @@ class ContentSecurityPolicyListener extends AbstractContentTypeRestrictableListe
     protected $sha;
     protected $nonceGenerator;
     protected $shaComputer;
+    protected $requestMatcher;
 
-    public function __construct(DirectiveSet $report, DirectiveSet $enforce, NonceGenerator $nonceGenerator, ShaComputer $shaComputer, $compatHeaders = true, array $hosts = array(), array $contentTypes = array())
+    public function __construct(DirectiveSet $report, DirectiveSet $enforce, NonceGenerator $nonceGenerator, ShaComputer $shaComputer, $compatHeaders = true, array $hosts = array(), array $contentTypes = array(), RequestMatcherInterface $requestMatcher = null)
     {
         parent::__construct($contentTypes);
         $this->report = $report;
@@ -47,6 +49,7 @@ public function __construct(DirectiveSet $report, DirectiveSet $enforce, NonceGe
         $this->hosts = $hosts;
         $this->nonceGenerator = $nonceGenerator;
         $this->shaComputer = $shaComputer;
+        $this->requestMatcher = $requestMatcher;
     }
 
     /**
@@ -163,7 +166,13 @@ public function onKernelResponse($e)
             return;
         }
 
-        if ((empty($this->hosts) || in_array($e->getRequest()->getHost(), $this->hosts, true)) && $this->isContentTypeValid($response)) {
+        if ($this->requestMatcher) {
+            $match = $this->requestMatcher->matches($request);
+        } else {
+            $match = empty($this->hosts) || in_array($e->getRequest()->getHost(), $this->hosts, true);
+        }
+
+        if ($match && $this->isContentTypeValid($response)) {
             $signatures = $this->sha;
             if ($this->scriptNonce) {
                 $signatures['script-src'][] = 'nonce-'.$this->scriptNonce;