use object structure for CSP rules so config can be split into different files and correctly be merged #10
Description
Current behaviour when merging ...
# Settings.01.CSP.yaml
Flowpack:
ContentSecurityPolicy:
content-security-policy:
script-src:
- A
- B
- C
- Dwith this
# Settings.02.CSP.yaml
Flowpack:
ContentSecurityPolicy:
content-security-policy:
script-src:
- X
- Yleads to this
Flowpack:
ContentSecurityPolicy:
content-security-policy:
script-src:
- X
- Y
- C
- DDesired behaviour after merging ...
Flowpack:
ContentSecurityPolicy:
content-security-policy:
script-src:
- A
- B
- C
- D
- X
- YHowever this will not be easily to implement as the SettingsLoader does not see to let us change the merging behaviour only for our config.
Proposed solution:
Change the CSP config to an object structure similar to the Neos constraints configuration.
# Settings.01.CSP.yaml
Flowpack:
ContentSecurityPolicy:
content-security-policy:
script-src:
'A': true
'B': true
'C': true
'D': trueMerging this will work just fine ;)
# Settings.01.CSP.yaml
Flowpack:
ContentSecurityPolicy:
content-security-policy:
script-src:
'A': true
'B': true
'C': true
'D': true
'X': true
'Y': trueWe could even target rules more easily and deactivate them through a different config.
Other things to consider:
Could be useful to support both formats for now with deprecation warnings for now?