Skip to content

Introduce image and CSS CSP controls#6071

Closed
Zhey-on wants to merge 1 commit intoBookStackApp:developmentfrom
Zhey-on:feature/csp-image-css-controls-6033
Closed

Introduce image and CSS CSP controls#6071
Zhey-on wants to merge 1 commit intoBookStackApp:developmentfrom
Zhey-on:feature/csp-image-css-controls-6033

Conversation

@Zhey-on
Copy link
Copy Markdown

@Zhey-on Zhey-on commented Mar 26, 2026

Summary

This PR introduces CSP controls for image and CSS sources.

In line with the issue intent, the defaults are kept relatively permissive to prevent breaking changes on existing instances, while still providing clear options to tighten policies where needed.

Changes

  • Added img-src and style-src directives to CSP handling.
  • Added environment/config options:
    • ALLOWED_IMAGE_SOURCES
    • ALLOWED_CSS_SOURCES
  • Kept permissive defaults when these options are not set, to reduce rollout risk.
  • Added tests in SecurityHeaderTest for:
    • default behavior
    • custom override behavior
  • Added documentation:
    • .env.example.complete entries and examples
    • development docs section describing controls and hardening guidance
    • README pointer to the CSP docs section

Why this approach

The implementation is intentionally conservative by default, especially compared to JS/iframe controls, so instances do not unexpectedly break after upgrade. At the same time, admins can now explicitly restrict allowed sources as part of their hardening process.

Testing

  • docker compose run --rm app php artisan test tests/SecurityHeaderTest.php --filter="style src|img src|csp"

Closes #6033.

@Zhey-on Zhey-on mentioned this pull request Mar 26, 2026
Closed
ssddanbrown
ssddanbrown requested changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ssddanbrown ssddanbrown left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for offering this @Zhey-on,
Please can you remove the readme and dev/docs changes though. Information on something this specific isn't relevant for these areas. I'll document this CSP use in our docs site as part of the future release changes.

@ssddanbrown
Copy link
Copy Markdown
Member

ssddanbrown commented Apr 28, 2026

BookStack is now managed on Codeberg.

As part of this change, we're closing all existing GitHub issues and pull requests.
You'll instead find this issue on Codeberg here:
https://codeberg.org/bookstack/bookstack/pulls/6071

Any further discussion for this will now be done primarily on Codeberg.
Since this thread was created relatively recently, it won't be locked just yet, and we may still provide updates/responses here on GitHub, but it may be locked in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ssddanbrown ssddanbrown ssddanbrown requested changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Introduce image & CSS CSP controls

2 participants

@Zhey-on @ssddanbrown