Skip to content

feat: use wildcard for readspeaker directives#38

Merged
laravdiemen merged 1 commit into
mainfrom
feat/readspeaker-wildcard
Mar 27, 2026
Merged

feat: use wildcard for readspeaker directives#38
laravdiemen merged 1 commit into
mainfrom
feat/readspeaker-wildcard

Conversation

@laravdiemen
Copy link
Copy Markdown
Contributor

@laravdiemen laravdiemen commented Mar 27, 2026

Aangezien readspeaker nogal vaak hun url aanpast, gebruiken we nu een wildcard om te voorkomen dat we het steeds opnieuw moeten toevoegen.

Copilot AI review requested due to automatic review settings March 27, 2026 08:10
@laravdiemen laravdiemen requested a review from a team as a code owner March 27, 2026 08:10
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Content Security Policy (CSP) configuration to be more resilient to ReadSpeaker endpoint/domain changes by using a wildcard host source instead of an explicit subdomain allowlist.

Changes:

  • Replaced explicit ReadSpeaker subdomain lists with https://*.readspeaker.com across relevant CSP directives.
  • Simplified ReadSpeaker CSP configuration by using a single wildcard pattern for connect/style/form-action/frame/media sources.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/Basic.php Outdated
Comment on lines +189 to +193
->addDirective(Directive::CONNECT, 'https://*.readspeaker.com')
->addDirective(Directive::STYLE, 'https://*.readspeaker.com')
->addDirective(Directive::FORM_ACTION, 'https://*.readspeaker.com')
->addDirective(Directive::FRAME, 'https://*.readspeaker.com')
->addDirective(Directive::MEDIA, 'https://*.readspeaker.com')
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switching the ReadSpeaker allowlist to https://*.readspeaker.com significantly broadens the CSP compared to the previous explicit subdomain list (especially for form-action and frame-src). This weakens the protection against unintended form posts / framing to unexpected ReadSpeaker subdomains. Consider keeping FORM_ACTION and FRAME restricted to the minimal required hosts (or add a brief inline comment explaining why the broader wildcard is acceptable here).

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@laravdiemen laravdiemen Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ictbeheer wat vind jij van deze suggestie? Moet ik daar de wilcard niet gebruiken?

Copy link
Copy Markdown
Member

@ictbeheer ictbeheer Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ja, ik moet Copilot hier wel gelijk in geven, net als voor MEDIA trouwens

Copy link
Copy Markdown
Contributor Author

@laravdiemen laravdiemen Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ik heb het aangepast, alleen CONNECT en STYLE is nu nog de wildcard

@laravdiemen laravdiemen force-pushed the feat/readspeaker-wildcard branch from a40fae1 to fb1e839 Compare March 27, 2026 08:46
@laravdiemen laravdiemen merged commit df0a714 into main Mar 27, 2026
2 checks passed
@laravdiemen laravdiemen deleted the feat/readspeaker-wildcard branch March 27, 2026 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ictbeheer ictbeheer ictbeheer approved these changes

@ShunLuk ShunLuk Awaiting requested review from ShunLuk ShunLuk is a code owner automatically assigned from yardinternet/wordpress-backend

@dtakken dtakken Awaiting requested review from dtakken dtakken is a code owner automatically assigned from yardinternet/wordpress-backend

@mvdhoek1 mvdhoek1 Awaiting requested review from mvdhoek1 mvdhoek1 is a code owner automatically assigned from yardinternet/wordpress-backend

@rivanuff rivanuff Awaiting requested review from rivanuff rivanuff is a code owner automatically assigned from yardinternet/wordpress-backend

@SimonvanWijhe SimonvanWijhe Awaiting requested review from SimonvanWijhe SimonvanWijhe is a code owner automatically assigned from yardinternet/wordpress-backend

@Rovasch Rovasch Awaiting requested review from Rovasch Rovasch is a code owner automatically assigned from yardinternet/wordpress-backend

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@laravdiemen @ictbeheer