Skip to content

Commit b596eab

Browse files
committed
Warn users when their source is excluded from CSP
When the CSP header is enabled but dashboards or navigation are not included in the generated policy, editing a dashlet or navigation item now shows an informational callout explaining that external URLs may not render correctly and pointing the user to the Security configuration page. Without this hint the breakage is silent and hard to connect to the CSP settings.
1 parent f16f2b1 commit b596eab

2 files changed

Lines changed: 44 additions & 0 deletions

File tree

application/forms/Dashboard/DashletForm.php

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,16 @@
55

66
namespace Icinga\Forms\Dashboard;
77

8+
use Icinga\Util\Csp;
89
use Icinga\Web\Form;
910
use Icinga\Web\Form\Validator\InternalUrlValidator;
1011
use Icinga\Web\Form\Validator\UrlValidator;
1112
use Icinga\Web\Url;
1213
use Icinga\Web\Widget\Dashboard;
1314
use Icinga\Web\Widget\Dashboard\Dashlet;
15+
use ipl\Web\Common\CalloutType;
16+
use ipl\Web\Compat\DisplayFormElement;
17+
use ipl\Web\Widget\Callout;
1418

1519
/**
1620
* Form to add an url a dashboard pane
@@ -75,6 +79,24 @@ public function createElements(array $formData)
7579
]
7680
);
7781

82+
if (Csp::isEnabled() && ! Csp::isDashboardEnabled()) {
83+
$this->addElement(
84+
'note',
85+
'csp_warning',
86+
[
87+
'decorators' => ['ViewHelper'],
88+
'value' => (new DisplayFormElement(new Callout(
89+
CalloutType::Info,
90+
$this->translate(
91+
'Any external url is not guaranteed to work as expected. '
92+
. 'Please make sure to check the Content-Security-Policy configuration.',
93+
),
94+
$this->translate('Dashboards are not enabled in the CSP configuration'),
95+
)))->render(),
96+
]
97+
);
98+
}
99+
78100
$this->addElement(
79101
'textarea',
80102
'url',

application/forms/Navigation/NavigationItemForm.php

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,12 @@
55

66
namespace Icinga\Forms\Navigation;
77

8+
use Icinga\Util\Csp;
89
use Icinga\Web\Form;
910
use Icinga\Web\Url;
11+
use ipl\Web\Common\CalloutType;
12+
use ipl\Web\Compat\DisplayFormElement;
13+
use ipl\Web\Widget\Callout;
1014

1115
class NavigationItemForm extends Form
1216
{
@@ -48,6 +52,24 @@ public function createElements(array $formData)
4852
]
4953
);
5054

55+
if (Csp::isEnabled() && ! Csp::isNavigationEnabled()) {
56+
$this->addElement(
57+
'note',
58+
'csp_warning',
59+
[
60+
'decorators' => ['ViewHelper'],
61+
'value' => (new DisplayFormElement(new Callout(
62+
CalloutType::Info,
63+
$this->translate(
64+
'Any external url is not guaranteed to work as expected. '
65+
. 'Please make sure to check the Content-Security-Policy configuration.',
66+
),
67+
$this->translate('Navigation items are not enabled in the CSP configuration'),
68+
)))->render(),
69+
]
70+
);
71+
}
72+
5173
$this->addElement(
5274
'textarea',
5375
'url',

0 commit comments

Comments
 (0)