-
Notifications
You must be signed in to change notification settings - Fork 4
Configuration
Configuration of this bundle is handled by the ise_web_websecurity.yaml
file found in your projects /config/packages
folder.
Configuration allows you to specify the policies that the bundle will apply. All features have an active which decides if the feature is applied in a given context.
In the cases of coop
and coep
if the feature is active, then a policy must be defined. Some more detail on these policies can be found here. Policy values for each are listed below:
- coop
same-site
same-origin
cross-site
unsafe-none
- coep
require-corp
unsafe-none
A policy_overwrite
flag will let you define a policy outside of this list, should the spec change.
coop:
active: true
polciy: 'same-origin'
coep:
active: true
policy: 'require-corp'
The policies available for Fetch Metadata are more broad. If no policy is specified, then the defaul policy will be used. The default policy is detailed in this article.
If using this policy, defining allowed_endpoints: [ENDPOINTS]
in the configuration will add to the allowed endpoints list for the default policy.
Custom policies can be defined, provided they implement the Ise\WebSecurityBundle\Policies\FetchMetadataPolicyInterface
interface. Defining a custom policy is not recommended but, should unique situations present themselves in your application or if you have a good knowledge of the Fetch Metadata feature, this interface will allow you to create a Policy of your own. In order to apply your Policy to a given path, the format of the configuration option is policy: SERVICE PATH
for example. policy:
Ise\WebSecurityBundle\Policies\FetchMetadataPolicy`.
See an example of below
fetch_metadata:
active: true
policy: Ise\WebSecurityBundle\Policies\DefaultFetchMetadataPolicy
# Allowed endpoints only applies to the default fetch metadata policy provided by the bundle
allowed_endpoints: ['/img']
Trusted types configuration allows you to specify both trusted types policies and what sinks to apply the policies to. Trusted types itself is an extension of CSP, and as a result these configuration options will be applied to the Content-Security-Policy
header when active. An example of trusted types configuration is below:
trusted_types:
active: true
policies: ['foo', 'bar']
require_for: ['script', 'style']
Configuration for the bundle is handled in two stages. The defaults
config, and the path
config. defaults
applies to every route, but, can be overwritten in the paths
config. For example:
ise_web_security:
defaults:
coop:
active: true
paths:
'/api':
coop:
active: false
In the example above every unconfigured route the config coop: active: true
applies. However, in the case of the /api
route, then coop: active: false
applies.
A number of presets exist that can be applied at any priority in the config. You can find them here
Due to the priority system and preset system, a few edge cases exist in the config options.
-
defaults
needs a full config, with some exceptions every primary options has to be defined or an exception will be thrown. - Presets can be overwritten at any level, but the overwrite must be complete for any given section. For example if you were to overwrite
coop
, you need to define theactive
key andpolicy
key if you want to overwrite coop.