Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CSP report filter #119

Merged
merged 1 commit into from
Jan 26, 2017
Merged

Add CSP report filter #119

merged 1 commit into from
Jan 26, 2017

Conversation

romainneutron
Copy link
Collaborator

No description provided.

@romainneutron romainneutron force-pushed the csp-report-filter branch 2 times, most recently from 289b428 to 6033451 Compare January 13, 2017 14:56
@romainneutron romainneutron mentioned this pull request Jan 13, 2017
Closed
@romainneutron romainneutron force-pushed the csp-report-filter branch 14 times, most recently from 7b995e3 to fdb805e Compare January 16, 2017 15:46
@romainneutron romainneutron changed the title [WIP] Add CSP report filter Add CSP report filter Jan 16, 2017
@romainneutron
Copy link
Collaborator Author

The PR is ready for review, here's the new doc related to this change below. Users collecting data with the existing Controller don't have configure anything. Noise filtering should work out of the box

Reporting:

Using the report-uri you can easily collect violation using the ContentSecurityPolicyController.
Here's an configuration example using routing.yml:

csp_report:
    path: /csp/report
    methods: [POST]
    defaults: { _controller: nelmio_security.csp_reporter_controller:indexAction }

This part of the configuration helps to filter noise collected by this endpoint:

nelmio_security:
    csp:
        report_endpoint:
            log_level: "notice" # Use the appropriate log_level
            log_formatter: ~    # Declare a service name that must implement Nelmio\SecurityBundle\ContentSecurityPolicy\Violation\Log\LogFormatterInterface
            log_channel: ~      # Declare the channel to use with the logger
            filters:
                # Filter false positive reports given a domain list
                domains: true
                # Filter false positive reports given a scheme list
                schemes: true
                # Filter false positive reports given known browser bugs
                browser_bugs: true
                # Filter false positive reports given known injected scripts
                injected_scripts: true
                # You can add you custom filter rules by implementing Nelmio\SecurityBundle\ContentSecurityPolicy\Violation\Filter\NoiseDetectorInterface
                # and tag the service with "nelmio_security.csp_report_filter"
            dismiss:
                # A list of key-values that should be dismissed
                # A key is either a domain or a regular expression
                # A value is a source or an array of source. The '*' wilcard is accepted
                '/^data:/': 'script-src'
                '/^https?:\/\/\d+\.\d+\.\d+\.\d+(:\d+)*/': '*'
                'maxcdn.bootstrapcdn.com': '*'
                'www.gstatic.com': ['media-src', 'img-src']

@romainneutron romainneutron merged commit 803c7d2 into nelmio:master Jan 26, 2017
@romainneutron romainneutron deleted the csp-report-filter branch January 26, 2017 13:34
@franmomu franmomu mentioned this pull request Feb 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@romainneutron