Setup with custom json file

[MikeHarrison]

Hi, I have this plugin working with the default setup, but am struggling to use a custom json file to adjust the policy. This is my config.php (included in full in case there is an issue elsewhere):

<?php

  return [

    'bnomei.securityheaders.loader' => function () {
        return kirby()->roots()->site() . '/csp.json';
    },

    'routes' => [
      [
        'pattern' => 'sitemap.xml',
        'action'  => function() {
            $pages = site()->pages()->index();

            // fetch the pages to ignore from the config settings,
            // if nothing is set, we ignore the error page
            $ignore = kirby()->option('sitemap.ignore', ['error']);

            $content = snippet('sitemap', compact('pages', 'ignore'), true);

            // return response with correct header type
            return new Kirby\Cms\Response($content, 'application/xml');
        }
      ],
      [
        'pattern' => 'sitemap',
        'action'  => function() {
          return go('sitemap.xml', 301);
        }
      ]
    ],
  ];

?>

Then in my site root I have the following json file (csp.json):

{
  "report-only": false,
  "base-uri": {
    "self": true
  },
  "default-src": {
    "self": true
  },
  "connect-src": {
    "self": true
  },
  "font-src": {
    "self": true
  },
  "form-action": {
    "allow": [],
    "self": true
  },
  "frame-ancestors": [],
  "frame-src": {
    "allow": [],
    "self": false
  },
  "img-src": {
    "self": true,
    "data": true
  },
  "media-src": [],
  "object-src": [],
  "plugin-types": [],
  "script-src": {
    "allow": [],
    "hashes": [],
    "self": true,
    "unsafe-inline": false,
    "unsafe-eval": true
  },
  "style-src": {
    "self": true
  },
  "upgrade-insecure-requests": true,
  "worker-src": {
    "allow": [],
    "self": false
  }
}

When using this setup I get no CSP generated at all. Can you please advise where I am going wrong? Thanks!

[bnomei]

@MikeHarrison it was a bug in my code. please upgrade and it should work now.

if you test on localhost try setting

site/config/config.localhost.php

<?php

return [
    'bnomei.securityheaders.enabled' => 'force', // this will work even when debug is true
    // other options...
];

[MikeHarrison]

Hi, Thanks for taking a look at this. Unfortunately I am still seeing a blank security policy when trying to use a custom json file as a source.

I would be happy to zip up the project and send over if that would help with working out what is happening

[andreasba]

I can confirm the same behaviour in the current version @bnomei - can you please check?

This is the relevant part of my config.php for testing:

   // Content Security Policy Plugin
    'bnomei.securityheaders.enabled' => true,
    'bnomei.securityheaders.loader' => function () {

        return __DIR__ . '/loader.json';

    },

The result is an empty CSP policy.

If I remove the loader function, the defaults are appplied so unless I made some mistake, this is not fixed yet.

Can you please take a look?

Thanks!

[andreasba]

If anybody else is running into the same issue - a workaround is using the setter method:

    'bnomei.securityheaders.setter' => function (\Bnomei\SecurityHeaders $instance) {
        // https://github.com/paragonie/csp-builder#build-a-content-security-policy-programmatically
        // Add a new source domain to the whitelist
        $csp = $instance->csp();
        $csp->addSource('script-src', 'https://subdomain.bla.com');
    },

[Joobs]

@andreasba I had a few issues to start with, make sure loader.json is in the same folder as the config (easiest way to make sure the path is correct), and if the config has any formatting errors it will display an empty policy. I got it working after correcting those two issues.