Skip to content

Implement Csp#361

Merged
lippserd merged 1 commit into
mainfrom
cps
Jun 24, 2026
Merged

Implement Csp#361
lippserd merged 1 commit into
mainfrom
cps

Conversation

@TheSyscall

@TheSyscall TheSyscall commented Mar 23, 2026

Copy link
Copy Markdown
Contributor

Add a Csp class which represents the Content-Security-Policy header.

This new class can be used to manage the content security policy.
This class enforces default-src 'self' as a baseline for a secure web application.
The first nonce added to any directive is selected as THE nonce for the CSP.
Setting a nonce is not supported since a nonce could appear in any number of different directives.

Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
@TheSyscall TheSyscall requested a review from Al2Klimov March 24, 2026 12:34
Al2Klimov

This comment was marked as resolved.

@TheSyscall TheSyscall requested a review from Al2Klimov March 25, 2026 11:43
Al2Klimov
Al2Klimov previously approved these changes Mar 31, 2026

@Al2Klimov Al2Klimov left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested together with Icinga/icingaweb2#5477 (review).

Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
Comment thread src/Common/Csp.php Outdated
@TheSyscall TheSyscall requested a review from Al2Klimov April 15, 2026 07:07
@Al2Klimov Al2Klimov removed their request for review April 16, 2026 10:47
@TheSyscall TheSyscall requested a review from Al2Klimov April 16, 2026 12:08
Al2Klimov

This comment was marked as resolved.

Al2Klimov

This comment was marked as resolved.

@TheSyscall TheSyscall requested a review from Al2Klimov June 23, 2026 08:03
Al2Klimov

This comment was marked as resolved.

Al2Klimov

This comment was marked as resolved.

Al2Klimov

This comment was marked as resolved.

The `Csp` class provides an additive builder for CSP headers: directives
and their expressions are accumulated via `add()`, with duplicates
silently ignored. Expressions are validated against the CSP spec: URL
host sources (with scheme, port, and path), wildcards (`*` and
`*.subdomain`), keywords (`'self'`, `'none'`, `'unsafe-inline'`, etc.),
nonces (`'nonce-<value>'`), hash sources (sha256/384/512), report
hashes, sandbox unquoted keywords, and report-to endpoint names.

Fetch directives fall back through their inheritance chain to
`default-src` when queried via `getDirective()`, but `getRawDirective()`
and `hasRawDirective()` skip inheritance.

The first nonce encountered across all directives is exposed via
`getNonce()`.

`fromString()` parses an existing CSP header string back into a `Csp`
instance, and `merge()` combines multiple `Csp` instances into one,
deduplicating expressions and preserving the base nonce.

Co-authored-by: Eric Lippmann <eric.lippmann@icinga.com>
@lippserd lippserd merged commit b4975dc into main Jun 24, 2026
14 checks passed
@lippserd lippserd deleted the cps branch June 24, 2026 16:18
@nilmerg nilmerg added this to the 0.14.0 milestone Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants