wip

Author: t-heuser

Classes/Http/CspHeaderMiddleware.php

@@ -43,6 +43,12 @@ class CspHeaderMiddleware implements MiddlewareInterface
      */
     protected array $configuration;
 
+    /**
+     * @Flow\InjectConfiguration(path="policies")
+     * @var array<string, array<string, list<string>>>
+     */
+    protected array $policies;
+
     /**
      * @inheritDoc
      * @throws InvalidDirectiveException
@@ -73,16 +79,21 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
      */
     private function getPolicyByCurrentContext(ServerRequestInterface $request): Policy
     {
-        /*
-         * There is no other way to know if we're in the backend here, we cannot inject
-         * Neos\Neos\Domain\Service\ContentContext at this point as it throws an error.
-         */
-        if (str_starts_with($request->getUri()->getPath(), '/neos')) {
-            return $this->policyFactory->create(
-                $this->nonce,
-                $this->configuration['backend'],
-                $this->configuration['custom-backend']
-            );
+        $path = $request->getUri()->getPath();
+
+        $backendUris = array_merge(
+            $this->policies['backend']['matchUris'] ?? [],
+            $this->policies['custom-backend']['matchUris'] ?? []
+        );
+
+        foreach ($backendUris as $pattern) {
+            if (preg_match('#' . $pattern . '#', $path)) {
+                return $this->policyFactory->create(
+                    $this->nonce,
+                    $this->configuration['backend'],
+                    $this->configuration['custom-backend']
+                );
+            }
         }
 
         return $this->policyFactory->create(

Configuration/Settings.yaml

@@ -67,6 +67,12 @@ Flowpack:
           'self': true
           'data:': true
       custom-backend: [ ]
+    policies:
+      backend:
+        matchUris:
+          - '^/neos'
+      custom-backend:
+        matchUris: []
 
 Neos:
   Neos:

README.md

@@ -1,17 +1,17 @@
 # Flowpack.ContentSecurityPolicy
 
 <!-- TOC -->
-
 * [Flowpack.ContentSecurityPolicy](#flowpackcontentsecuritypolicy)
-    * [Introduction](#introduction)
-    * [Usage](#usage)
-    * [Custom directives and values](#custom-directives-and-values)
-        * [Show CSP configuration](#show-csp-configuration)
-    * [Disable or report only](#disable-or-report-only)
-    * [Nonce](#nonce)
-    * [Backend](#backend)
-    * [Thank you](#thank-you)
-
+  * [Introduction](#introduction)
+  * [Usage](#usage)
+  * [Deprecated Configuration](#deprecated-configuration)
+  * [Custom directives and values](#custom-directives-and-values)
+    * [Show CSP configuration](#show-csp-configuration)
+  * [Disable or report only](#disable-or-report-only)
+  * [Nonce](#nonce)
+  * [Backend](#backend)
+    * [Custom backend routes](#custom-backend-routes)
+  * [Thank you](#thank-you)
 <!-- TOC -->
 
 ## Introduction
@@ -190,6 +190,24 @@ Unsafe inline scripts and styles are allowed in the backend because otherwise th
 
 Again you can add your own policies in the custom-backend array the same way as the custom array for the frontend.
 
+### Custom backend routes
+
+By default, the backend policy is applied to all paths starting with `/neos`. If you have additional routes that require
+the same permissive policy (e.g. a custom admin UI at `/monocle`), add them to `custom-backend.matchUris`. Each entry
+is a PHP regex (without delimiters) matched against the request path.
+
+```yaml
+Flowpack:
+  ContentSecurityPolicy:
+    policies:
+      custom-backend:
+        matchUris:
+          - '^/monocle(/.*)?$'
+```
+
+The built-in `'^/neos'` pattern in `backend.matchUris` is unaffected, so the Neos backend continues to work without any
+changes. You only need to touch `backend.matchUris` if you want to replace the default `/neos` match entirely.
+
 ## Thank you
 
 This package originates from https://github.com/LarsNieuwenhuizen/Nieuwenhuizen.ContentSecurityPolicy.

Tests/Unit/Http/CspHeaderMiddlewareTest.php

@@ -69,6 +69,12 @@ protected function setUp(): void
             ['backend' => [], 'custom-backend' => [], 'default' => [], 'custom' => [],]
         );
 
+        $reflectionProperty = $this->middlewareReflection->getProperty('policies');
+        $reflectionProperty->setValue(
+            $this->middleware,
+            ['backend' => ['matchUris' => ['^/neos']], 'custom-backend' => ['matchUris' => []]]
+        );
+
         $this->requestHandlerMock->expects($this->once())->method('handle')->willReturn($this->responseMock);
     }
 
@@ -112,4 +118,52 @@ public function testProcessShouldAddHeadersToResponseAndReplaceBody(): void
 
         $this->middleware->process($this->requestMock, $this->requestHandlerMock);
     }
+
+    public function testProcessShouldUseBackendPolicyForCustomMatchUri(): void
+    {
+        $reflectionProperty = $this->middlewareReflection->getProperty('policies');
+        $reflectionProperty->setValue(
+            $this->middleware,
+            ['backend' => ['matchUris' => ['^/neos']], 'custom-backend' => ['matchUris' => ['^/monocle(/.*)?$']]]
+        );
+
+        $this->requestMock->expects($this->once())->method('getUri')->willReturn($this->uriMock);
+        $this->uriMock->expects($this->once())->method('getPath')->willReturn('/monocle/dashboard');
+
+        $this->policyFactoryMock->expects($this->once())->method('create')->willReturn($this->policyMock);
+        $this->policyMock->expects($this->once())->method('hasNonceDirectiveValue')->willReturn(false);
+        $this->responseMock->expects($this->once())->method('withAddedHeader')->willReturnSelf();
+
+        $this->middleware->process($this->requestMock, $this->requestHandlerMock);
+    }
+
+    public function testProcessShouldUseDefaultPolicyWhenNoMatchUriMatches(): void
+    {
+        $this->requestMock->expects($this->once())->method('getUri')->willReturn($this->uriMock);
+        $this->uriMock->expects($this->once())->method('getPath')->willReturn('/monocle/dashboard');
+
+        $this->policyFactoryMock->expects($this->once())->method('create')->willReturn($this->policyMock);
+        $this->policyMock->expects($this->once())->method('hasNonceDirectiveValue')->willReturn(false);
+        $this->responseMock->expects($this->once())->method('withAddedHeader')->willReturnSelf();
+
+        $this->middleware->process($this->requestMock, $this->requestHandlerMock);
+    }
+
+    public function testProcessShouldNotMatchNeosWhenBackendMatchUrisOverridden(): void
+    {
+        $reflectionProperty = $this->middlewareReflection->getProperty('policies');
+        $reflectionProperty->setValue(
+            $this->middleware,
+            ['backend' => ['matchUris' => ['^/other']], 'custom-backend' => ['matchUris' => []]]
+        );
+
+        $this->requestMock->expects($this->once())->method('getUri')->willReturn($this->uriMock);
+        $this->uriMock->expects($this->once())->method('getPath')->willReturn('/neos');
+
+        $this->policyFactoryMock->expects($this->once())->method('create')->willReturn($this->policyMock);
+        $this->policyMock->expects($this->once())->method('hasNonceDirectiveValue')->willReturn(false);
+        $this->responseMock->expects($this->once())->method('withAddedHeader')->willReturnSelf();
+
+        $this->middleware->process($this->requestMock, $this->requestHandlerMock);
+    }
 }