Comments (13)
ENV CONTENT_SECURITY_POLICY='{ "some": "JSON" }'
đĄ Then use jq
to turn it into a HTTP header.
from docker-php.
@danpastori You should review this above. âī¸
I'll probably pull this in the next release if you are cool with it.
from docker-php.
@jaydrogers Makes sense to remove it. Looks like it's kind of a "false security" that can be circumnavigated through other attempts. We've implemented a secure CSP on our Docker containers right?
from docker-php.
We did, but then we removed it đ
docker-php/php/8.0/fpm-nginx/etc/nginx/server-opts.d/security.conf
Lines 17 to 19 in 7223a37
from docker-php.
Adding more comments from /u/Tontonsb:
I just read the discussion on your PR. Yeah, CSP is the only solution, but unfourtunately it's complex and very project specific. And on legacy projects you're just sometimes left with default-src https: data: 'unsafe-inline' 'unsafe-eval'... Actually, not "legacy" projects, but normal projects that are not made with CSP in mind.
We might want to remove CSP all together and let users manage it on their own, or come up with a way where it can be easily managed with an environment variable đ¤
It gets very project specific and we will need really good documentation on this.
from docker-php.
Just thinking out loud. How hard would it be to add some sort of custom .env
type file that gets compiled into docker that's set on a per-app basis? For example (I'll try my best at yml):
Headers
CSP
"default-src"
'self'
http:
And then you just flatten that array to be the header that gets added. I know when working with Electron and CapacitorJS, you have to have this down to a science.
from docker-php.
As an appending to âī¸, are there any other settings that would be useful to store in an env that are app specific? Maybe you already have this.
from docker-php.
Good news is, there is no YAML in this repo. đ¤
ENVs are set like this:
docker-php/php/8.0/fpm-nginx/Dockerfile
Lines 9 to 19 in 7223a37
So that means it would look like this:
ENV CONTENT_SECURITY_POLICY="\"default-src \'self\' http: https: data: blob: \'unsafe-inline\'\" always\;"
âī¸ But as you can see, I don't even know if this example will work.
We would have to escape all of this stuff in bash, which might get really messy. Not sure how NGINX would take this.
Thoughts?
from docker-php.
I'm thinking about providing an optional "App Specific" env. Would that make sense? Some sort of config file that you could customize and build into the docker image to overwrite values, or add values on an app specific basis?
It could be completely out of scope since I can set some of the CSP stuff in HTML. Just thinking.
from docker-php.
That could definitely work. The only negative I see from controlling it from the app level for the ENV would be we need to figure that out for both application types:
- Laravel
- WordPress
Putting the ENV at the docker layer will allow us to set an ENV within Docker which could then be easily customized for any type of app.
from docker-php.
I wonder if @szepeviktor would have any thoughts on this? âī¸
from docker-php.
This speaks for itself. ~100% of browser makers do not support it.
I do not understand the technical details.
As far as I see security is made from very many steps. There is no way to protect a website without human đ¨âđŦ expertise and continuous presence: an expert webmaster.
from docker-php.
Thanks @szepeviktor!
Specifically, I was wondering if there is a sensible way to set the content security policy as an ENV without it looking like garbage with all of the escaping. See this comment for more details: #31 (comment)
from docker-php.
Related Issues (20)
- Debug mode permission denied HOT 2
- It worked fine for me until a few minutes ago when I did a --build, now I get these errors HOT 1
- Not a bug HOT 7
- cURL error 28: Operation timed out after 15000 milliseconds with 0 bytes received HOT 1
- Check shell scripts HOT 4
- More typos HOT 4
- PRs fail because of the Nuxt content ENV not being set
- PRs fail because of Docker Logins are not set HOT 5
- I encountered issues with some vulnerabilities but couldn't find a way to update the dependencies. HOT 6
- Adding custom script fails to start HOT 2
- gRPC can't be found anymore! HOT 1
- Nginx Unit Docker Image Exposes Ports 80 and 443 alongside 8080 and 8443? HOT 1
- â ī¸ Delayed release of v3.1.0 HOT 1
- mkdir() "/var/lib/nginx/body" failed (13: Permission denied) HOT 3
- Cannot start SSUPv3 docker image on Google CloudRun HOT 10
- Improve Horizon Support HOT 3
- nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/site-opts.d/https.conf:2
- Apache container fails to restart HOT 5
- CrashLoop in K8s HOT 1
- Scheduler not working with S6 in new V3 images HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
đ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. đđđ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google â¤ī¸ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-php.