Seldaek
commented
2 months ago Sorry but I won't manage to review this one right now, seems solid at first sight but I'd rather give it some more thought.
Open martijnc opened 3 months ago
Seldaek
commented
2 months ago Sorry but I won't manage to review this one right now, seems solid at first sight but I'd rather give it some more thought.
This PR introduces the
DirectiveSetBuilderInterfaceand the default implementationConfigurationDirectiveSetBuilderproposed in #347, to allow for runtime modification of the CSP directive sets. The major changes are:DirectiveSetBuilderInterfaceandConfigurationDirectiveSetBuilder;ContentSecurityPolicyListenerconstructor now takesDirectiveSetBuilderInterfaceinstead of the directive sets directly;NelmioSecurityExtensionto provide the configuration to theConfigurationDirectiveSetBuilders, which in turn are injected intoContentSecurityPolicyListener(instead of the directive sets).This adds a layer between the configuration (and the directive sets built from it) and
ContentSecurityPolicyListener. This layer provides an integration point for application code to modify the directive sets based on the request (e.g., in a controller or a kernel event listener).