Merge pull request #2 from basecom/feat/add-readme

mfickers · web-flow · commit f2cc2da3a643 · 2024-08-06T08:31:48.000+02:00
Feat add readme
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,13 +15,20 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Fixed
 
-## [1.0.1] - 2020-01-01
+## [1.0.2] - 2024-08-05
+
+### Added
+
+- Added README
+
+## [1.0.1] - 2024-08-02
 
 ### Fixed
 
 - Fixed issue where the fetch directive was added twice to the CSP header content.
 
 ## [1.0.0] - 2024-08-02
 
+[1.0.2]: https://github.com/basecom/magento2-csp-split-header/compare/v1.0.1...v1.0.2
 [1.0.1]: https://github.com/basecom/magento2-csp-split-header/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/basecom/magento2-csp-split-header/releases/tag/v1.0.0
diff --git a/README.md b/README.md
@@ -0,0 +1,90 @@
+# Basecom_CspSplitHeader Magento 2 Module
+
+<div style="text-align: center;">
+
+[![Software License][ico-license]](LICENSE)
+![Supported Magento Versions][ico-compatibility]
+
+</div>
+
+---
+
+> [!IMPORTANT]  
+> As of Magento 2.4.7 it is no longer possible to deactivate the Magento CSP module.
+
+With a growing _Content Security Policies_ (CSP) whitelist, the problem can arise that the
+headers `Content-Security-Policy-Report-Only` and/or `Content-Security-Policy` become so large that they exceed the
+maximum permitted size of a header field, causing the web server to not process the response any further.
+
+The CSP mechanism allows multiple policies to be specified for a resource, including via the `Content-Security-Policy`
+header, the `Content-Security-Policy-Report-Only` header and a `meta`
+element [[MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#multiple_content_security_policies)].
+__Therefore, the headers can be specified more than once.__
+
+This is where the module comes into play. It implements an _after method plugin_ for the
+method `Magento\Csp\Model\Policy\Renderer\SimplePolicyHeaderRenderer::render`, which replaces the existing CSP headers
+via the method `\Magento\Framework\App\Response\HttpInterface::setHeader`. The header is read, split so that the syntax
+remains valid, and replaced by the new headers. The result is a separate header for each directive, each of which should
+no longer exceed the maximum permitted length of the web server.
+
+> [!TIP]
+> If the headers are too large even after splitting, try to identify unnecessary Magento modules and remove them.
+
+## Installation
+
+1. Install it into your Magento 2 project with composer:
+
+    ```console
+    composer require basecom/magento2-csp-split-header
+    ```
+
+2. Enable module
+
+    ```console
+    bin/magento setup:upgrade
+    ```
+
+## Configuration
+
+| Config                                                      | Default Value  | Description                                                |
+|-------------------------------------------------------------|----------------|------------------------------------------------------------|
+| `basecom_csp_split_header/settings/header_splitting_enable` | 0 _(disabled)_ | enables (1) / disables (0) the splitting of the CSP header |
+| `basecom_csp_split_header/settings/max_header_size`         | 8000           | maximum allowed header size                                |
+
+These values can be updated in the system configuration under `Basecom -> Content Security Policy -> Enable`.
+
+## Example
+
+1. CSP splitting _disabled_
+
+    ```HTTP
+    Content-Security-Policy: default-src 'self' https://example.com; connect-src 'none'; script-src https://example.com/;                          
+    ```
+
+2. CSP splitting _enabled_
+
+    ```HTTP
+    Content-Security-Policy: default-src 'self' https://example.com; 
+    Content-Security-Policy: connect-src 'none'; 
+    Content-Security-Policy: script-src https://example.com/;                          
+    ```
+
+## Contributing
+
+Please see [CONTRIBUTING](CONTRIBUTING.md) for details.
+
+## Security
+
+If you discover any security related issues, please email <magento@basecom.de> instead of using the issue tracker.
+
+## License
+
+The MIT License (MIT). Please see [License File](LICENSE) for more information.
+
+## Copyright
+
+&copy; 2024 basecom GmbH & Co. KG
+
+[ico-license]: https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square
+
+[ico-compatibility]: https://img.shields.io/badge/magento-2.4-brightgreen.svg?logo=magento&longCache=true&style=flat-square
diff --git a/composer.json b/composer.json
@@ -1,6 +1,6 @@
 {
     "name": "basecom/magento2-csp-split-header",
-    "version": "1.0.1",
+    "version": "1.0.2",
     "description": "N/A",
     "type": "magento2-module",
     "license": [

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "basecom/magento2-csp-split-header",`
`3`		`- "version": "1.0.1",`
	`3`	`+ "version": "1.0.2",`
`4`	`4`	`"description": "N/A",`
`5`	`5`	`"type": "magento2-module",`
`6`	`6`	`"license": [`