Add additional CSP header configuration options (#2871)

* Add additional CSP header configuration options Added configuration options to extend the allowed lists for the `child-src`, `font-src`, `form-action`, `frame-src`, `img-src`, and `media-src` directives in the Content Security Policy (CSP) headers. These changes enable compatibility with third-party tools, such as Google Analytics. * formatting
LycheeOrg · Jan 2, 2025 · 1856646 · 1856646
1 parent 5629479
commit 1856646
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/.env.example b/.env.example
@@ -99,6 +99,12 @@ QUEUE_CONNECTION=sync
 SECURITY_HEADER_HSTS_ENABLE=false
 SECURITY_HEADER_CSP_CONNECT_SRC=
 SECURITY_HEADER_SCRIPT_SRC_ALLOW=
+SECURITY_HEADER_CSP_CHILD_SRC=
+SECURITY_HEADER_CSP_FONT_SRC=
+SECURITY_HEADER_CSP_FORM_ACTION=
+SECURITY_HEADER_CSP_FRAME_SRC=
+SECURITY_HEADER_CSP_IMG_SRC=
+SECURITY_HEADER_CSP_MEDIA_SRC=
 SESSION_SECURE_COOKIE=false
 
 REDIS_HOST=127.0.0.1

diff --git a/config/secure-headers.php b/config/secure-headers.php
@@ -344,6 +344,7 @@
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src
 		'child-src' => [
+			'allow' => explode(',', (string) env('SECURITY_HEADER_CSP_CHILD_SRC', '')),
 		],
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
@@ -359,11 +360,13 @@
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
 		'font-src' => [
+			'allow' => explode(',', (string) env('SECURITY_HEADER_CSP_FONT_SRC', '')),
 		],
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action
 		'form-action' => [
 			'self' => true,
+			'allow' => explode(',', (string) env('SECURITY_HEADER_CSP_FORM_ACTION', '')),
 		],
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
@@ -372,6 +375,7 @@
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
 		'frame-src' => [
+			'allow' => explode(',', (string) env('SECURITY_HEADER_CSP_FRAME_SRC', '')),
 		],
 
 		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
@@ -398,7 +402,8 @@
 				[
 					// @phpstan-ignore-next-line
 					str_replace(parse_url(env('AWS_URL'), PHP_URL_PATH), '', env('AWS_URL')),
-				]
+				],
+				explode(',', (string) env('SECURITY_HEADER_CSP_IMG_SRC', ''))
 			),
 		],
 
@@ -418,7 +423,8 @@
 				[
 					// @phpstan-ignore-next-line
 					str_replace(parse_url(env('AWS_URL'), PHP_URL_PATH), '', env('AWS_URL')),
-				]
+				],
+				explode(',', (string) env('SECURITY_HEADER_CSP_MEDIA_SRC', ''))
 			),
 		],