Allow editing of the CSP trusted image sources.

[w1ll-i-code]

Hi, as discussed with @lippserd, we improved the CSP header and added the ability to whitelist certain trusted domains for the image sources. This closes #5333.

[lippserd]

Hi, as discussed with @lippserd, we improved the CSP header and added the ability to whitelist certain trusted domains for the image sources. This closes #5333.

For reference: We discussed a use case where an Icinga Web module depends on features from an external provider, such as OpenStreetMap. Without the ability to modify the CSP header, every user of the module would need to adjust or override the web server configuration. A more effective approach we considered is to implement specific functionality in Icinga Web to modify only certain parts of the header. Additionally, I think such functionality would also be necessary for https://github.com/nbuchwitz/icingaweb2-module-map for example.

[nilmerg]

There are some style issues as well. Please rebase with main and the actions will run and point this out.

[nilmerg]

I just noticed this breaks our own font loading, so all our icons are invisible since font-src: 'self' prohibits them. You can notice this in the menu pretty well for example.

In addition, I've already talked about this with you in person, I'd rather like to make this an automatic whitelisting. With the recent security release, we sandboxed iframes and automatically open them up in case a user configures a navigation item or dashboard with an external link. I'm thinking about the same with img-src and frame-src. So there could be a hook or something similar that would allow your module to announce that it requires images from a specific non-origin host and that gets automatically whitelisted using the desired policy.

So, I'm afraid, we need to re-think that. I also fear complications with child-src and connect-src. I'll promise we figure that out before the next major, so 2.13 will include something to resolve this.

[nilmerg]

Thanks for keeping at it!

I didn't look at it entirely yet. Only one thing for now:

The way you load navigation items is not correct yet. You forgot dashlets and you only load shared items the user is an owner of.

Take a look at \Icinga\Web\Navigation\Navigation::load for example. Though, please note that for dashlets a more complex solution is needed. Dashlets by modules can be loaded there (and should! Also modules may provide external URLs this way), but not user dashlets. This is done by \Icinga\Web\Widget\Dashboard::load instead.

Also, please remember that there are additional types of navigation items. A module can provide its own as well using \Icinga\Application\Modules\Module::provideNavigationItem. Monitoring's and Icinga DB Web's host and service actions are an example which may also result in an iframe.

So please restore the NavigationController and think about an alternative to the NavigationItemHelper.

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Davide Zeni.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email [email protected]
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Davide Zeni.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email [email protected]
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Davide Zeni.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email [email protected]
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[cla-bot]

Thank you for your pull request. Before we can look at it, you'll need to sign a Contributor License Agreement (CLA).

Please follow instructions at https://icinga.com/company/contributor-agreement to sign the CLA.

After that, please reply here with a comment and we'll verify.

Contributors that have not signed yet: @zenosaaur

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Please contact us if you think this is the case.

• If you signed the CLA as a corporation, your GitHub username may not have been submitted to us. Please reach out to the responsible person in your organization.

[gianlucapiccolo]

hello @nilmerg can you please give us a feedback on the changes we made? Thanks!!

[cla-bot]

Thank you for your pull request. Before we can look at it, you'll need to sign a Contributor License Agreement (CLA).

Please follow instructions at https://icinga.com/company/contributor-agreement to sign the CLA.

After that, please reply here with a comment and we'll verify.

Contributors that have not signed yet: @zenosaaur

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Please contact us if you think this is the case.

• If you signed the CLA as a corporation, your GitHub username may not have been submitted to us. Please reach out to the responsible person in your organization.

[cla-bot]

Thank you for your pull request. Before we can look at it, you'll need to sign a Contributor License Agreement (CLA).

Please follow instructions at https://icinga.com/company/contributor-agreement to sign the CLA.

After that, please reply here with a comment and we'll verify.

Contributors that have not signed yet: @zenosaaur

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Please contact us if you think this is the case.

• If you signed the CLA as a corporation, your GitHub username may not have been submitted to us. Please reach out to the responsible person in your organization.