Initial commit

Author: lsiebels

Api/Data/ConfigInterface.php

@@ -0,0 +1,26 @@
+<?php declare(strict_types=1);
+
+namespace Basecom\CspSplitHeader\Api\Data;
+
+/**
+ * @api
+ * @since 1.0.0
+ */
+interface ConfigInterface
+{
+    /**
+     * Check if header splitting is enabled
+     *
+     * @return bool
+     * @since 1.0.0
+     */
+    public function isHeaderSplittingEnabled();
+
+    /**
+     * Get max header size
+     *
+     * @return int
+     * @since 1.0.0
+     */
+    public function getMaxHeaderSize();
+}

Block/Adminhtml/Form/Field/CspHeader.php

@@ -0,0 +1,81 @@
+<?php declare(strict_types=1);
+
+namespace Basecom\CspSplitHeader\Block\Adminhtml\Form\Field;
+
+use Basecom\CspSplitHeader\Api\Data\ConfigInterface;
+use Magento\Backend\Block\Template;
+use Magento\Backend\Block\Template\Context;
+use Magento\Csp\Api\PolicyCollectorInterface;
+use Magento\Framework\Data\Form\Element\AbstractElement;
+use Magento\Framework\Data\Form\Element\Renderer\RendererInterface;
+
+class CspHeader extends Template implements RendererInterface
+{
+    private string $header = '';
+
+    public function __construct(
+        private readonly PolicyCollectorInterface $policyCollector,
+        private readonly ConfigInterface $config,
+        Context $context,
+        array $data = [],
+    ) {
+        $this->_template = 'Basecom_CspSplitHeader::cspHeader.phtml';
+        parent::__construct($context, $data);
+    }
+
+    public function render(AbstractElement $element): string
+    {
+        $this->setData('html_id', $element->getHtmlId());
+        $this->setData('label', $element->getData('label'));
+
+        return $this->_toHtml();
+    }
+
+    public function getCurrentHeaderSize(): int
+    {
+        return strlen($this->getCspHeader());
+    }
+
+    public function getCspHeader(): string
+    {
+        if (empty($this->header)) {
+            $cspHeader = '';
+            $policies = $this->policyCollector->collect();
+
+            foreach ($policies as $policy) {
+                $value = $policy->getValue();
+                $cspHeader .= $policy->getId().': '.$value.';'.PHP_EOL;
+            }
+            $this->header = $cspHeader;
+        }
+        return $this->header ;
+    }
+
+    public function isHeaderIsTooBig(): bool
+    {
+        $header = $this->getCspHeader();
+        $currentHeaderSize = strlen($header);
+        $maxHeaderSize = $this->config->getMaxHeaderSize();
+
+        $isHeaderSplittingEnabled = $this->config->isHeaderSplittingEnabled();
+        $headerIsTooBig = false;
+        if ($isHeaderSplittingEnabled) {
+            $headerParts = explode(PHP_EOL, $header);
+            foreach ($headerParts as $headerPart) {
+                $headerPartsSize = strlen($headerPart);
+                if ($headerPartsSize > $maxHeaderSize) {
+                    $headerIsTooBig = true;
+                    break;
+                }
+            }
+        } else {
+            $headerIsTooBig = $currentHeaderSize > $maxHeaderSize;
+        }
+        return $headerIsTooBig;
+    }
+
+    public function getConfig(): ConfigInterface
+    {
+        return $this->config;
+    }
+}

CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.1.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+### Added
+### Changed
+### Removed
+### Fixed

CONTRIBUTING.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 basecom GmbH & Co. KG
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

LICENSE

@@ -0,0 +1,37 @@
+<?php declare(strict_types=1);
+
+namespace Basecom\CspSplitHeader\Model;
+
+use Basecom\CspSplitHeader\Api\Data\ConfigInterface;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+
+class Config implements ConfigInterface
+{
+    public const XML_PATH_HEADER_SPLITTING_ENABLE = 'basecom_csp_split_header/settings/header_splitting_enable';
+    public const XML_PATH_MAX_HEADER_SIZE = 'basecom_csp_split_header/settings/max_header_size';
+
+    public function __construct(
+        private readonly ScopeConfigInterface $scopeConfig,
+    ) {
+    }
+
+    /**
+     * Check if header splitting is enabled
+     *
+     * @return bool
+     */
+    public function isHeaderSplittingEnabled(): bool
+    {
+        return (bool) $this->scopeConfig->getValue(self::XML_PATH_HEADER_SPLITTING_ENABLE);
+    }
+
+    /**
+     * Get max header size
+     *
+     * @return int
+     */
+    public function getMaxHeaderSize(): int
+    {
+        return (int) $this->scopeConfig->getValue(self::XML_PATH_MAX_HEADER_SIZE);
+    }
+}

Model/Config.php

@@ -0,0 +1,8 @@
+<?php declare(strict_types=1);
+
+namespace Basecom\CspSplitHeader\Plugin\Model\Policy;
+
+class PolicyHeader
+{
+    public const HEADER_NAMES = ['Content-Security-Policy-Report-Only', 'Content-Security-Policy'];
+}

Plugin/Model/Policy/PolicyHeader.php

@@ -0,0 +1,132 @@
+<?php declare(strict_types=1);
+
+namespace Basecom\CspSplitHeader\Plugin\Model\Policy\Renderer;
+
+use Basecom\CspSplitHeader\Model\Config;
+use Basecom\CspSplitHeader\Plugin\Model\Policy\PolicyHeader;
+use Laminas\Http\AbstractMessage;
+use Laminas\Http\Header\ContentSecurityPolicy;
+use Laminas\Http\Header\ContentSecurityPolicyReportOnly;
+use Laminas\Http\Header\HeaderInterface;
+use Laminas\Loader\PluginClassLoader;
+use Magento\Csp\Api\Data\PolicyInterface;
+use Magento\Csp\Model\Policy\Renderer\SimplePolicyHeaderRenderer;
+use Magento\Framework\App\Response\HttpInterface as HttpResponse;
+use Psr\Log\LoggerInterface;
+
+/**
+ * Plugin for Simple Policy Header
+ */
+class CspHeaderSplitter
+{
+    public function __construct(
+        private readonly LoggerInterface $logger,
+        private readonly Config $config,
+    ) {
+    }
+
+    private const PLUGINS = [
+        'contentsecuritypolicyreportonly' => ContentSecurityPolicyReportOnly::class,
+        'contentsecuritypolicy'           => ContentSecurityPolicy::class,
+    ];
+
+    private array $contentHeaders = [];
+
+    /**
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     * @param null $result
+     */
+    public function afterRender(
+        SimplePolicyHeaderRenderer $subject,
+        $result,
+        PolicyInterface $policy,
+        HttpResponse $response
+    ): void {
+        $headerName = $this->getHeaderName($response);
+        /** @var HeaderInterface $header */
+        $header = $response->getHeader($headerName);
+        $policyValue = $header->getFieldValue();
+        $isHeaderSplittingEnabled = $this->config->isHeaderSplittingEnabled();
+
+        $maxHeaderSize = $this->config->getMaxHeaderSize();
+        $currentHeaderSize = strlen($policyValue);
+
+        if ($isHeaderSplittingEnabled) {
+            $this->registerCspHeaderPlugins($response);
+            $this->splitUpCspHeaders($response, $policy->getId(), $policyValue);
+        } else {
+            if ($maxHeaderSize >= $currentHeaderSize) {
+                $response->setHeader($headerName, $policyValue, true);
+            } else {
+                $this->logger->error(
+                    sprintf(
+                        'Unable to set the CSP header. The header size of %d bytes exceeds the '.
+                        'maximum size of %d bytes.',
+                        $currentHeaderSize,
+                        $maxHeaderSize
+                    )
+                );
+            }
+        }
+    }
+
+    /**
+     * The CSP headers normally use the GenericHeader class, which does not support multi-header values.
+     * The Laminas framework includes multi-value supported special classes for CSP headers.
+     * With this registration we enable the usage of the special classes by registering the definitions to the
+     * plugin loader class.
+     */
+    private function registerCspHeaderPlugins(HttpResponse $response): void
+    {
+        /** @var AbstractMessage $response */
+        /** @var PluginClassLoader $pluginClassLoader */
+        $pluginClassLoader = $response->getHeaders()->getPluginClassLoader();
+        $pluginClassLoader->registerPlugins(self::PLUGINS);
+    }
+
+    /**
+     * Make sure that the CSP headers are handled as several headers ("multi-header")
+     */
+    private function splitUpCspHeaders(HttpResponse $response, string $policyId, string $policyValue): void
+    {
+        $headerName = $this->getHeaderName($response);
+
+        if (!$headerName) {
+            return;
+        }
+
+        $newHeader = $policyId.' '.$policyValue.';';
+        $maxHeaderSize = $this->config->getMaxHeaderSize();
+        $newHeaderSize = strlen($policyValue);
+
+        if ($newHeaderSize <= $maxHeaderSize) {
+            $this->contentHeaders[] = $newHeader;
+        } else {
+            $this->logger->error(
+                sprintf(
+                    'Unable to set the CSP header. The header size of %d bytes exceeds the '.
+                    'maximum size of %d bytes.',
+                    $newHeaderSize,
+                    $maxHeaderSize
+                )
+            );
+        }
+
+        foreach ($this->contentHeaders as $i => $headerPart) {
+            $isFirstEntry = ($i === 0);
+            $response->setHeader($headerName, $headerPart.';', $isFirstEntry);
+        }
+    }
+
+    private function getHeaderName(HttpResponse $response): string
+    {
+        $headerName = '';
+        foreach (PolicyHeader::HEADER_NAMES as $name) {
+            $headerContent = $response->getHeader($name);
+            if ($headerContent) {
+                $headerName = $name;
+            }
+        }
+        return $headerName;
+    }
+}

Plugin/Model/Policy/Renderer/CspHeaderSplitter.php

@@ -0,0 +1,30 @@
+{
+    "name": "basecom/magento2-csp-split-header",
+    "version": "1.0.0",
+    "description": "N/A",
+    "type": "magento2-module",
+    "license": [
+        "MIT"
+    ],
+    "authors": [
+        {
+            "name": "Team Magento @basecom",
+            "email": "[email protected]"
+        }
+    ],
+    "require": {
+        "php": "~8.1",
+        "magento/framework": "*",
+        "magento/module-csp": "*",
+        "magento/module-config": "*",
+        "magento/module-backend": "*"
+    },
+    "autoload": {
+        "files": [
+            "registration.php"
+        ],
+        "psr-4": {
+            "Basecom\\CspSplitHeader\\": ""
+        }
+    }
+}