CSP: Renamed CSS CSP option

This commit is contained in:
Dan Brown
2026-05-26 12:50:19 +01:00
parent 2c49502345
commit d7ba0dc430
5 changed files with 10 additions and 10 deletions

View File

@@ -398,8 +398,8 @@ ALLOWED_IFRAME_SOURCES="https://*.draw.io https://*.youtube.com https://*.youtub
# A list of sources/hostnames that can be loaded as CSS styles within BookStack.
# Space separated if multiple. BookStack host domain is auto-inferred.
# Defaults to a permissive set if not provided.
# Example: ALLOWED_CSS_SOURCES="https://fonts.googleapis.com"
ALLOWED_CSS_SOURCES=null
# Example: ALLOWED_STYLE_SOURCES="https://fonts.googleapis.com"
ALLOWED_STYLE_SOURCES=null
# A list of sources/hostnames that can be loaded as image content within BookStack.
# Space separated if multiple. BookStack host domain is auto-inferred, in addition to

View File

@@ -72,10 +72,10 @@ return [
// Current host and source for the "DRAWIO" setting will be auto-appended to the sources configured.
'iframe_sources' => env('ALLOWED_IFRAME_SOURCES', 'https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com'),
// A list of sources/hostnames that can be loaded as CSS styles within BookStack.
// A list of style sources/hostnames that can be loaded styles within BookStack.
// Space separated if multiple. BookStack host domain is auto-inferred.
// If not set, a permissive default set is used to reduce potential breakage.
'css_sources' => env('ALLOWED_CSS_SOURCES', null),
'style_sources' => env('ALLOWED_STYLE_SOURCES', null),
// A list of sources/hostnames that can be loaded as image content within BookStack.
// Space separated if multiple. BookStack host domain is auto-inferred, in addition to

View File

@@ -169,7 +169,7 @@ class CspService
*/
protected function getAllowedStyleSources(): array
{
$configured = config('app.css_sources');
$configured = config('app.style_sources');
if (is_string($configured)) {
$sources = array_filter(explode(' ', $configured));

View File

@@ -18,7 +18,7 @@
<server name="APP_URL" value="http://bookstack.dev"/>
<server name="APP_TIMEZONE" value="UTC"/>
<server name="APP_DISPLAY_TIMEZONE" value="UTC"/>
<server name="ALLOWED_CSS_SOURCES" value=""/>
<server name="ALLOWED_STYLE_SOURCES" value=""/>
<server name="ALLOWED_IMAGE_SOURCES" value=""/>
<server name="ALLOWED_IFRAME_HOSTS" value=""/>
<server name="ALLOWED_IFRAME_SOURCES" value="https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com"/>

View File

@@ -153,7 +153,7 @@ class SecurityHeaderTest extends TestCase
public function test_style_src_csp_header_set_to_permissive_defaults_when_not_configured()
{
config()->set('app.css_sources', null);
config()->set('app.style_sources', null);
$resp = $this->get('/');
$header = $this->getCspHeader($resp, 'style-src');
@@ -162,7 +162,7 @@ class SecurityHeaderTest extends TestCase
public function test_style_src_csp_header_can_be_overridden_by_config()
{
config()->set('app.css_sources', 'https://fonts.example.com');
config()->set('app.style_sources', 'https://fonts.example.com');
$resp = $this->get('/');
$header = $this->getCspHeader($resp, 'style-src');
@@ -172,7 +172,7 @@ class SecurityHeaderTest extends TestCase
public function test_style_src_csp_header_unsafe_inline_value_will_be_auto_quoted()
{
config()->set('app.css_sources', 'unsafe-inline https://css.example.com');
config()->set('app.style_sources', 'unsafe-inline https://css.example.com');
$resp = $this->get('/');
$header = $this->getCspHeader($resp, 'style-src');
@@ -182,7 +182,7 @@ class SecurityHeaderTest extends TestCase
public function test_style_src_can_be_blank_to_set_no_additions()
{
config()->set('app.css_sources', '');
config()->set('app.style_sources', '');
$resp = $this->get('/');
$header = $this->getCspHeader($resp, 'style-src');