Disable in panel - Githubissues

bnomei / kirby3-security-headers

Kirby Plugin for easier Security Headers setup

https://forum.getkirby.com/t/kirby3-security-headers-best-practice-headers-nonce-csp-and-feature-policies/23583

MIT License

26 stars 2 forks source link

Disable in panel #18

Closed S1SYPHOS closed 3 years ago

S1SYPHOS commented 3 years ago

Hey there, I know that you struggled with this in #11, but there's an edge case I cannot solve for now:

When using your plugin together with custom-add-fields, the latter stops working. Since I can't figure out how to fix this, I could circumvent this problem by disabling your plugin on the panel.

I'd be happy to provide a PR with an option like bnomei.securityheaders.enablePanel or something like this ..

Cheers!

PS: If you're able to spot the problem in @steirico's index.js with the speed of lightning, feel free to let us know :fox_face:

bnomei commented 3 years ago

try bnomei.securityheaders.enabled option with a callback and return same check like here? https://github.com/bnomei/kirby3-security-headers/blob/68ce54cb0c9e588bfe4a7e63b68af3e5587218ce/classes/SecurityHeaders.php#L34

bnomei commented 3 years ago

another idea would be to use the same isPanel check in 1) loader option and load a different json with unsave eval AND 2) return callback with null at the seed option to disable the nonce output then

CSP with nonce will not allow unsafe. thats just how it is.

S1SYPHOS commented 3 years ago

Thanks for your ideas, they have already proven helpful!

I went with option No. 1:

'bnomei.securityheaders.loader' => function () {
    # Panel check, borrowed from @bnomei's `security-headers`
    # See https://github.com/steirico/kirby-plugin-custom-add-fields/issues/37
    $isPanel = strpos(
        kirby()->request()->url()->toString(),
        kirby()->urls()->panel
    ) !== false;

    if ($isPanel) {
        return kirby()->root('config') . '/settings/csp-backend.json';
    }

    return kirby()->root('config') . '/settings/csp-frontend.json';
}

.. hacky solution until v3.5 fixes this ;)

bnomei commented 3 years ago

not 100% but i think you need to do [loader + seed] or [enabled].

S1SYPHOS commented 3 years ago

Well, worked well as far as I could tell, but sure ..

'bnomei.securityheaders.enabled' => function () {
    # Panel check, borrowed from @bnomei's `security-headers`
    # See https://github.com/steirico/kirby-plugin-custom-add-fields/issues/37
    $isPanel = strpos(
        kirby()->request()->url()->toString(),
        kirby()->urls()->panel
    ) !== false;

    return !$isPanel;
},

bnomei commented 3 years ago

@S1SYPHOS i will add this to plugin as well as a check for the api url.

bnomei commented 3 years ago

https://github.com/bnomei/kirby3-security-headers/releases/tag/v2.4.0

bnomei commented 3 years ago

@S1SYPHOS once updated to 2.4.0 you will have to remove your custom config value for bnomei.securityheaders.enabled or the api will still be using the headers

S1SYPHOS commented 3 years ago

Roger that