Closed S1SYPHOS closed 3 years ago
try bnomei.securityheaders.enabled
option with a callback and return same check like here? https://github.com/bnomei/kirby3-security-headers/blob/68ce54cb0c9e588bfe4a7e63b68af3e5587218ce/classes/SecurityHeaders.php#L34
another idea would be to use the same isPanel check in
1) loader
option and load a different json with unsave eval
AND
2) return callback with null at the seed
option to disable the nonce output then
CSP with nonce will not allow unsafe. thats just how it is.
Thanks for your ideas, they have already proven helpful!
I went with option No. 1:
'bnomei.securityheaders.loader' => function () {
# Panel check, borrowed from @bnomei's `security-headers`
# See https://github.com/steirico/kirby-plugin-custom-add-fields/issues/37
$isPanel = strpos(
kirby()->request()->url()->toString(),
kirby()->urls()->panel
) !== false;
if ($isPanel) {
return kirby()->root('config') . '/settings/csp-backend.json';
}
return kirby()->root('config') . '/settings/csp-frontend.json';
}
.. hacky solution until v3.5 fixes this ;)
not 100% but i think you need to do [loader + seed] or [enabled].
Well, worked well as far as I could tell, but sure ..
'bnomei.securityheaders.enabled' => function () {
# Panel check, borrowed from @bnomei's `security-headers`
# See https://github.com/steirico/kirby-plugin-custom-add-fields/issues/37
$isPanel = strpos(
kirby()->request()->url()->toString(),
kirby()->urls()->panel
) !== false;
return !$isPanel;
},
@S1SYPHOS i will add this to plugin as well as a check for the api url.
@S1SYPHOS once updated to 2.4.0 you will have to remove your custom config value for bnomei.securityheaders.enabled
or the api will still be using the headers
Roger that
Hey there, I know that you struggled with this in #11, but there's an edge case I cannot solve for now:
When using your plugin together with
custom-add-fields
, the latter stops working. Since I can't figure out how to fix this, I could circumvent this problem by disabling your plugin on the panel.I'd be happy to provide a PR with an option like
bnomei.securityheaders.enablePanel
or something like this ..Cheers!
PS: If you're able to spot the problem in @steirico's
index.js
with the speed of lightning, feel free to let us know :fox_face: