Git Product home page Git Product logo

Comments (2)

valorin avatar valorin commented on July 30, 2024 1

@ziadoz If it helps, this is the CSP I'm using for Pulse.

report-uri ... ; 
default-src 'none' ; 
connect-src 'self' ; 
font-src 'self' https://fonts.bunny.net/figtree/files/ ; 
frame-src 'none' ; 
img-src 'self' data: https://gravatar.com/avatar/ https://unavatar.io/ ; 
manifest-src 'self' ; 
script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval' ; 
style-src 'self' 'unsafe-inline' https://fonts.bunny.net/css ; 
form-action 'self' ; 
frame-ancestors 'none'

I had to configure a standalone CSP for /pulse because it requires unsafe-inline and I was using nonces in my app.

from pulse.

ziadoz avatar ziadoz commented on July 30, 2024 1

@valorin Cheers, that really helps me out!

I closed the ticket because I realised I could attach my own policy to the Pulse route, I just needed to poke around and write all the directives.

I translated what you wrote into a Spatie CSP policy and it all works perfectly (thanks again):

<?php

namespace App\Csp\Policies;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Vite;
use Spatie\Csp\Directive;
use Spatie\Csp\Keyword;
use Spatie\Csp\Policies\Basic;
use Symfony\Component\HttpFoundation\Response;

class LaravelPulsePolicy extends Basic
{
    public function configure(): void
    {
        $this
            ->addDirective(Directive::DEFAULT, Keyword::NONE)
            ->addDirective(Directive::CONNECT, Keyword::SELF)
            ->addDirective(Directive::FONT, [Keyword::SELF, 'https://fonts.bunny.net/figtree/files/'])
            ->addDirective(Directive::FRAME, Keyword::NONE)
            ->addDirective(Directive::IMG, [Keyword::SELF, 'data: https://gravatar.com/avatar/ https://unavatar.io/'])
            ->addDirective(Directive::MANIFEST, Keyword::SELF)
            ->addDirective(Directive::SCRIPT, [Keyword::SELF, Keyword::UNSAFE_INLINE, Keyword::UNSAFE_EVAL])
            ->addDirective(Directive::STYLE, [Keyword::SELF, Keyword::UNSAFE_INLINE, 'https://fonts.bunny.net/css'])
            ->addDirective(Directive::FORM_ACTION, Keyword::SELF)
            ->addDirective(Directive::FRAME_ANCESTORS, Keyword::NONE);
    }
}

Then just hook it up in the config/pulse.php file:

    'middleware' => [
        'web',
        Authorize::class,
        Spatie\Csp\AddCspHeaders::class . ':' . App\Csp\Policies\LaravelPulsePolicy::class,
    ],

from pulse.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.