generated from silverstripe/silverstripe-module
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Google Services wild card fragment updates
Wildcard rules do not care what the protocol is, updated any rules to use `https`. Ideally since SilverStripe either uses TLS or SSL then we should force all URI/URLs to use `https` protocol. `upgrade-insecure-requests` should handle any that aren't covered but makes sense to be explicit. Wildcards only match the left most domain label In the case of `*.example.com` only `a.example.com` would be matched not `a.b.example.com`. Thus specifying the entire URL is required. Additionally wildcards only match DNS labels they do not match schemes e.g. `www.example.com` is not matched on `*.example.com` thus full domain labels are required for the hostname as well as any required subdomain wildcard matching. Also included in this change is a new configurable setting for whitelisting Google supported domains on the IMG-SRC directive. As Google services like to use localised regional domains for endpoints rather than default URLs like `https://www.google.com` on IMG-SRC directives. This was alternative requirement than specifying all the domains as that made the header size too large.
- Loading branch information
1 parent
d705f32
commit 88902ee
Showing
3 changed files
with
67 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<?php | ||
|
||
namespace App\ContentSecurity\Fragments; | ||
|
||
use Silverstripe\CSP\Directive; | ||
use Silverstripe\CSP\Fragments\Fragment; | ||
use Silverstripe\CSP\Policies\Policy; | ||
|
||
/* | ||
* Allows execution of Google Maps API related resources | ||
* Nonce on the https://maps.google.com/maps/api/js URL is required before using this fragment. | ||
* | ||
* https://content-security-policy.com/examples/google-maps/ | ||
*/ | ||
class GoogleMaps implements Fragment | ||
{ | ||
public static function addTo(Policy $policy): void | ||
{ | ||
$policy | ||
->addDirective(Directive::CONNECT, 'https://maps.googleapis.com') | ||
->addDirective(Directive::IMG, | ||
[ | ||
'https://maps.gstatic.com', | ||
'https://*.googleapis.com', | ||
'https://*.ggpht.com' | ||
] | ||
); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters