Skip to content
This repository was archived by the owner on Feb 21, 2025. It is now read-only.

Commit 92c870a

Browse files
FiresphereFiresphere
committed
Allow unsafe-inline JS and CSS per page. USE WITH CAUTION
1 parent e974aa6 commit 92c870a

File tree

2 files changed

+22
-2
lines changed

2 files changed

+22
-2
lines changed

src/Extensions/ControllerCSPExtension.php

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,10 +105,13 @@ public function onBeforeInit()
105105
$ymlConfig = CSPBackend::config()->get('csp_config');
106106
$this->addPolicyHeaders = ($ymlConfig['enabled'] ?? false) || static::checkCookie($owner->getRequest());
107107
/** @var Controller $owner */
108-
$owner = $this->owner;
109108
if ($this->addPolicyHeaders) {
110109
$config = Injector::inst()->convertServiceProperty($ymlConfig);
111110
$legacy = $config['legacy'] ?? true;
111+
$unsafeCSSInline = $config['style-src']['unsafe-inline'];
112+
$config['style-src']['unsafe-inline'] = $unsafeCSSInline || $owner->dataRecord->AllowJSInline;
113+
$unsafeCSSInline = $config['script-src']['unsafe-inline'];
114+
$config['script-src']['unsafe-inline'] = $unsafeCSSInline || $owner->dataRecord->AllowJSInline;
112115

113116
$policy = CSPBuilder::fromArray($config);
114117

src/Extensions/PageExtension.php

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,13 @@
66
use Firesphere\CSPHeaders\Models\CSPDomain;
77
use Page;
88
use SilverStripe\CMS\Model\SiteTree;
9+
use SilverStripe\Forms\CheckboxField;
910
use SilverStripe\Forms\FieldList;
1011
use SilverStripe\Forms\GridField\GridField;
1112
use SilverStripe\Forms\GridField\GridFieldConfig_RelationEditor;
1213
use SilverStripe\Forms\Tab;
1314
use SilverStripe\ORM\DataExtension;
15+
use SilverStripe\ORM\FieldType\DBBoolean;
1416
use SilverStripe\ORM\ManyManyList;
1517

1618
/**
@@ -21,10 +23,21 @@
2123
*/
2224
class PageExtension extends DataExtension
2325
{
26+
27+
private static $db = [
28+
'AllowCSSInline' => DBBoolean::class,
29+
'AllowJSInline' => DBBoolean::class,
30+
];
31+
2432
private static $many_many = [
2533
'CSPDomains' => CSPDomain::class
2634
];
2735

36+
private static $defaults = [
37+
'AllowCSSInline' => false,
38+
'AllowJSInline' => false,
39+
];
40+
2841
public function updateSettingsFields(FieldList $fields)
2942
{
3043
$fields->addFieldToTab('Root', Tab::create(
@@ -39,6 +52,10 @@ public function updateSettingsFields(FieldList $fields)
3952
$this->owner->CSPDomains(),
4053
$config
4154
);
42-
$fields->addFieldToTab('Root.CSP', $gridfield);
55+
$fields->addFieldsToTab('Root.CSP', [
56+
CheckboxField::create('AllowCSSInline', 'Allow CSS inline'),
57+
CheckboxField::create('AllowJSInline', 'Allow JS inline'),
58+
$gridfield
59+
]);
4360
}
4461
}

0 commit comments

Comments
 (0)