Hello! I am coding a Plugin to provide more flow metrics to Kanboard. I am using Google Charts. My charts were not being displayed due to restrictions of " Content Security Policy". After a long code review and by googling for a solution I realized that the app was setting up a configuration that was blocking both calls of outside libraries and the in-line scripts.
I have realized that “ClassProvider” class under “Kanboard\ServiceProvider” namespace sets the following:
$container['cspRules'] = array(
//'default-src' => "'self'",
//'style-src' => "'self' 'unsafe-inline'",
'img-src' => '* data:',
);
I had to comment these lines in order to make my scripts been called.
With no comment, this blocks any call of in-line scripts and even putting the calls of SRC for outside scripts like so:
<script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script>
Does anyone knows how to tell Kanboard to change Content Security Policy configuration to let outside scripts working without updating its internal core code?
you can add cspRules like this in the initialize()
method of your plugin:
// get current csp rules
$cspRules = $this->container['cspRules'];
// edit csp rules like you want to
// add new domain to connect-src rule (to allow XHR fetch)
$cspRules['connect-src'] = $cspRules['default-src'] . " https://domain.com";
// update cspRules with the ones we changed
$this->container['cspRules'] = $cspRules;
because $this->container['cspRules']
actually calls a getter, it returns the value, not the reference, that`s why you need to get the values, update, then set them again.
The right way to do this is set the right rules. You could just remove them, but they are there for security (prevent XSS).
I think in your case you need to set 'default-src' => $cspRules['default-src'] . " https://www.gstatic.com"
CSP documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
1 Like
It is a VALUABLE contribution, Rafael!
Thank you very much!!!
Here is the code that worked in my case!
public function initialize()
{
$this->addCspRules();
$this->attachTemplates();
}
public function addCspRules()
{
// get current csp rules
$cspRules = $this->container['cspRules'];
// add new domain
$cspRules['script-src'] = "'unsafe-inline' 'self' https://fonts.googleapis.com https://fonts.gstatic.com http://php743.localhost.com https://www.gstatic.com https://cdnjs.cloudflare.com";
$cspRules['style-src'] = "'unsafe-inline' 'self' https://fonts.googleapis.com https://fonts.gstatic.com http://php743.localhost.com https://www.gstatic.com https://cdnjs.cloudflare.com";
// update cspRules with the ones we changed
$this->container['cspRules'] = $cspRules;
}