opencloud-eu
load two yaml configs
We have added the ability to merge custom CSP rules configuration with the provided ones through PROXY_CSP_CONFIG_FILE_LOCATION (and its yaml equivalent csp_config_file_location) and the ability to completely override the CSP rules configuration through PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION (and its yaml equivalent csp_config_file_override_location)
refs #1475
nice! hm ... I'm nut sure this produces what we expect, when an admin has currently provided a csp rule file where he dropped eg the rules to github. would we not then merge them back because they are in our default? ... I guess that is fine, because he can now overrule them ... but we need to document this propertly ... as it might cause unwanted security sideeffects.
I am aware of https://github.com/opencloud-eu/opencloud/issues/1475#issuecomment-3502269154 ... but why don't we introduce a PROXY_CSP_CONFIG_CUSTOMIZATIONS_FILE that allows adding additional rules. If someone really wants to get rid of the rules we provide he can point PROXY_CSP_CONFIG_FILE_LOCATION to an empty file and use his PROXY_CSP_CONFIG_CUSTOMIZATIONS_FILE. Of course he will then have to deal with updates himself.
I find that clearer than an PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION.
hm ... I'm not against this ... I am just worried about admins screaming "security incident!!!"
I find that clearer than an PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION.
hm ... I'm not against this ... I am just worried about admins screaming "security incident!!!"
... but it would still leave the update check broken for an unknown number of existing instances. Which is the point of my bug report and the main reason for this PR.
But I agree that we need clear documentation about all of this.
