search

EasyCorp / EasyAdminBundle

EasyAdmin is a fast, beautiful and modern admin generator for Symfony applications.
MIT License
4.09k stars 1.03k forks source link

Using EasyAdminBundle with Content Security Policy #5080

Open floriankittelmann opened 2 years ago

floriankittelmann commented 2 years ago

Describe the bug We are using in our project different Content Security Policy by the nelmio/NelmioSecurityBundle. Our configuration in the nelmio_security.yaml looks like that:

nelmio_security:
    csp:
        enforce:
            default-src:
                - 'self'
            script-src:
                - 'self'
            style-src:
                - 'self'
                - 'unsafe-inline'
            font-src:
                - 'self'
            object-src:
                - 'none'
            frame-src:
                - 'self'
            connect-src:
                - 'self'
            block-all-mixed-content: true

With the configuration of the Content Security Policy EasyAdminBundle gets problems to load some fonts as you can see in the javascript console:

image

We specially see this in the HtmlEditor of EasyAdminBundle in which the icons doesnt get loaded when the Content Security Policies are active:

Active CSP: image

Inactive CSP: image

Can you make sure that the fonts or icons can still be shown even with CSP in place?

To Reproduce The full nelmio_security.yaml

nelmio_security:
    clickjacking:
        paths:
            '^/.*': DENY
    csp:
        hosts: []
        content_types: []
        enforce:
            level1_fallback: false
            browser_adaptive:
                enabled: false
            default-src:
                - 'self'
            script-src:
                - 'self'
            style-src:
                - 'self'
                - 'unsafe-inline'
            font-src:
                - 'self'
            object-src:
                - 'none'
            frame-src:
                - 'self'
            connect-src:
                - 'self'
            block-all-mixed-content: true

    content_type:
        nosniff: true

    xss_protection:
        enabled: true
        mode_block: true

    referrer_policy:
        enabled: true
        policies:
            - 'strict-origin-when-cross-origin'

    forced_ssl:
        hsts_max_age: 2592000 # 30 days
        hsts_subdomains: true
        hsts_preload: true
redeye86 commented 2 years ago

I also came across CSP Problems. For my frontend I use a Custom Twig Function which in turn calls a Service that is accessible across the whole application that generates a random nonce for script and style tags. In the admin panel however it was quite complicated to get it to work as I had to extend many of the views only to add a nonce={{ csp_nonce() }}-attribute to the script tags. For instance I had to rewrite the layout file to use a custom _js_assets.html.twig.

To add CSP support to easyadmin the simplest approach would be to generate a nonce in AbstractController::configureResponseParameters, add it to the HTTP-Response in AbstractController::render and modify all script (and style)-tags in the views so that they use the attribute.