bookstack/bookstack
20
204
Fork
You've already forked bookstack
20

Introduce image and CSS CSP controls #6071

Manually merged
Zhey-on merged 1 commit from Zhey-on/feature/csp-image-css-controls-6033 into development 2026年05月17日 19:42:03 +02:00
Zhey-on commented 2026年03月26日 12:00:45 +01:00 (Migrated from github.com)
Copy link

Summary

This PR introduces CSP controls for image and CSS sources.

In line with the issue intent, the defaults are kept relatively permissive to prevent breaking changes on existing instances, while still providing clear options to tighten policies where needed.

Changes

  • Added img-src and style-src directives to CSP handling.
  • Added environment/config options:
    • ALLOWED_IMAGE_SOURCES
    • ALLOWED_CSS_SOURCES
  • Kept permissive defaults when these options are not set, to reduce rollout risk.
  • Added tests in SecurityHeaderTest for:
    • default behavior
    • custom override behavior
  • Added documentation:
    • .env.example.complete entries and examples
    • development docs section describing controls and hardening guidance
    • README pointer to the CSP docs section

Why this approach

The implementation is intentionally conservative by default, especially compared to JS/iframe controls, so instances do not unexpectedly break after upgrade. At the same time, admins can now explicitly restrict allowed sources as part of their hardening process.

Testing

  • docker compose run --rm app php artisan test tests/SecurityHeaderTest.php --filter="style src|img src|csp"

Closes #6033.

## Summary This PR introduces CSP controls for image and CSS sources. In line with the issue intent, the defaults are kept relatively permissive to prevent breaking changes on existing instances, while still providing clear options to tighten policies where needed. ## Changes - Added `img-src` and `style-src` directives to CSP handling. - Added environment/config options: - `ALLOWED_IMAGE_SOURCES` - `ALLOWED_CSS_SOURCES` - Kept permissive defaults when these options are not set, to reduce rollout risk. - Added tests in `SecurityHeaderTest` for: - default behavior - custom override behavior - Added documentation: - `.env.example.complete` entries and examples - development docs section describing controls and hardening guidance - README pointer to the CSP docs section ## Why this approach The implementation is intentionally conservative by default, especially compared to JS/iframe controls, so instances do not unexpectedly break after upgrade. At the same time, admins can now explicitly restrict allowed sources as part of their hardening process. ## Testing - `docker compose run --rm app php artisan test tests/SecurityHeaderTest.php --filter="style src|img src|csp"` Closes #6033.
ssddanbrown (Migrated from github.com) requested changes 2026年04月23日 16:37:08 +02:00
ssddanbrown (Migrated from github.com) left a comment
Copy link

Thanks for offering this @Zhey-on,
Please can you remove the readme and dev/docs changes though. Information on something this specific isn't relevant for these areas. I'll document this CSP use in our docs site as part of the future release changes.

Thanks for offering this @Zhey-on, Please can you remove the readme and dev/docs changes though. Information on something this specific isn't relevant for these areas. I'll document this CSP use in our docs site as part of the future release changes.
danb referenced this pull request from a commit 2026年05月17日 19:41:53 +02:00
danb manually merged commit dfc91d533b into development 2026年05月17日 19:42:03 +02:00
Sign in to join this conversation.
No reviewers
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bookstack/bookstack!6071
Reference in a new issue
bookstack/bookstack
No description provided.
Delete branch "Zhey-on/feature/csp-image-css-controls-6033"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?