Skip to content
Permalink
Browse files Browse the repository at this point in the history
[Security] ContentSecurityPolicyHandler - Add exclude paths property …
…to disable csp for specific paths

Signed-off-by: dpahuja <divesh.pahuja@gmail.com>
  • Loading branch information
dvesh3 authored and aryaantony92 committed Apr 14, 2022
1 parent e3897a3 commit 8c39a8b
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 4 deletions.
4 changes: 4 additions & 0 deletions bundles/AdminBundle/DependencyInjection/Configuration.php
Expand Up @@ -59,6 +59,10 @@ public function getConfigTreeBuilder(): TreeBuilder
->canBeEnabled()
->info('Can be used to enable or disable the Content Security Policy headers.')
->children()
->arrayNode('exclude_paths')
->scalarPrototype()->end()
->info('Regular Expressions like: /^\/path\/toexclude/')
->end()
->arrayNode('additional_urls')
->addDefaultsIfNotSet()
->normalizeKeys(false)
Expand Down
10 changes: 10 additions & 0 deletions bundles/AdminBundle/EventListener/AdminSecurityListener.php
Expand Up @@ -71,6 +71,16 @@ public function onKernelResponse(ResponseEvent $event)
return;
}


if (!empty($this->config['admin_csp_header']['exclude_paths'])) {
$requestUri = $request->getRequestUri();
foreach ($this->config['admin_csp_header']['exclude_paths'] as $path) {
if (@preg_match($path, $requestUri)) {
return;
}
}
}

$response = $event->getResponse();

// set CSP header with random nonce string to the response
Expand Down
4 changes: 0 additions & 4 deletions bundles/AdminBundle/Security/ContentSecurityPolicyHandler.php
Expand Up @@ -53,10 +53,6 @@ class ContentSecurityPolicyHandler implements LoggerAwareInterface
self::CONNECT_OPT => [
'https://liveupdate.pimcore.org/', //AdminBundle statistics & update-check service
'https://nominatim.openstreetmap.org/', //CoreBundle geocoding_url_template

],
self::SCRIPT_OPT => [
'http://unpkg.com/', // For the OPCache
],
];

Expand Down

0 comments on commit 8c39a8b

Please sign in to comment.