Comments (12)
sedge/thimble.webmaker.org#14 fixes a bunch of 404s
from brackets.
sedge/thimble.webmaker.org#15 fixes 95% of the CSP warnings
from brackets.
So we're left with 2 issues in the console, neither of which is critical, but we should fix.
-
We need to load the CSS/Fonts for the Filer dialogs, which requires doing a bower install in the extension's directory. We're not really using these dialogs yet, so that can be done later.
-
The crap we get here:
The Content Security Policy 'connect-src 'self' http://*.log.optimizely.com https://*.log.optimizely.com wss://hub.togetherjs.com; default-src 'self'; frame-src 'self' https://docs.google.com https://mozillathimblelivepreview.net/previewloader.html https://login.persona.org; font-src 'self' https://togetherjs.com https://fonts.gstatic.com https://netdna.bootstrapcdn.com; img-src *; media-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://mozorg.cdn.mozilla.net http://*.newrelic.com https://*.newrelic.com https://cdn.optimizely.com https://ajax.googleapis.com https://mozorg.cdn.mozilla.net https://ssl.google-analytics.com https://www.youtube.com https://s.ytimg.com https://login.persona.org http://localhost:8811; style-src 'self' 'unsafe-inline' http://mozorg.cdn.mozilla.net https://ajax.googleapis.com https://fonts.googleapis.com https://mozorg.cdn.mozilla.net https://togetherjs.com https://netdna.bootstrapcdn.com;' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
is because we don't have a place where these reports are going. We probably should. @jbuck, do you have a place where CSP reports are supposed to go for Webmaker? I want to suppress all this noise about not having a report-uri
directive.
from brackets.
@humphd we could enable CSP on thimble, I guess? :D
from brackets.
Have you guys done that elsewhere? How was it? What will it mean for things the user loads via the editor?
from brackets.
We have it enabled on some of our sites. It shouldn't mean anything for the user, because CSP only applies to the editor context, not the rendering iframe. Removing CSP Report-only mode is also option, if enforcing CSP is too difficult.
from brackets.
Except that the way we isolate the different parts of the app with Bramble is different. Instead of Thimble holding an editor and a preview iframe, we put the editor + preview in another iframe (so Thimble hosts the Brackets iframe which holds a preview iframe). So I think it might cause us some issues. Let's follow-up next week on irc.
from brackets.
Let's finish this off by trying to turn on CSP, now that @sedge has done the domain boundaries between the editor/preview and app.
from brackets.
This might be a bit tricky to do at the moment:
bramble.mofostaging.net/:22 [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' http://mozorg.cdn.mozilla.net https://ajax.googleapis.com https://fonts.googleapis.com https://mozorg.cdn.mozilla.net https://togetherjs.com https://netdna.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
3webmakerLogin.min.js:5 [Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' http://mozorg.cdn.mozilla.net http://*.newrelic.com https://*.newrelic.com https://ajax.googleapis.com https://mozorg.cdn.mozilla.net https://www.google-analytics.com https://login.persona.org undefined".
2about:blank:1 The Content Security Policy 'connect-src 'self' wss://hub.togetherjs.com; default-src 'self'; frame-src 'self' https://docs.google.com https://mozillathimblelivepreview.net/bramble https://login.persona.org; font-src 'self' https://togetherjs.com https://fonts.gstatic.com https://netdna.bootstrapcdn.com; img-src *; media-src *; script-src 'self' http://mozorg.cdn.mozilla.net http://*.newrelic.com https://*.newrelic.com https://ajax.googleapis.com https://mozorg.cdn.mozilla.net https://www.google-analytics.com https://login.persona.org undefined; style-src 'self' http://mozorg.cdn.mozilla.net https://ajax.googleapis.com https://fonts.googleapis.com https://mozorg.cdn.mozilla.net https://togetherjs.com https://netdna.bootstrapcdn.com;' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
require-config.js:86 require.baseUrl is /friendlycode/js
6/friendlycode/vendor/underscore.min.js:30 [Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' http://mozorg.cdn.mozilla.net http://*.newrelic.com https://*.newrelic.com https://ajax.googleapis.com https://mozorg.cdn.mozilla.net https://www.google-analytics.com https://login.persona.org undefined".
3ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js:3 [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' http://mozorg.cdn.mozilla.net https://ajax.googleapis.com https://fonts.googleapis.com https://mozorg.cdn.mozilla.net https://togetherjs.com https://netdna.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js:3 The Content Security Policy 'connect-src 'self' wss://hub.togetherjs.com; default-src 'self'; frame-src 'self' https://docs.google.com https://mozillathimblelivepreview.net/bramble https://login.persona.org; font-src 'self' https://togetherjs.com https://fonts.gstatic.com https://netdna.bootstrapcdn.com; img-src *; media-src *; script-src 'self' http://mozorg.cdn.mozilla.net http://*.newrelic.com https://*.newrelic.com https://ajax.googleapis.com https://mozorg.cdn.mozilla.net https://www.google-analytics.com https://login.persona.org undefined; style-src 'self' http://mozorg.cdn.mozilla.net https://ajax.googleapis.com https://fonts.googleapis.com https://mozorg.cdn.mozilla.net https://togetherjs.com https://netdna.bootstrapcdn.com;' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js:3 [Report Only] Refused to frame 'https://mozillathimblelivepreview.net/bramble/dist' because it violates the following Content Security Policy directive: "frame-src 'self' https://docs.google.com https://mozillathimblelivepreview.net/bramble https://login.persona.org".
bramble.mofostaging.net/:1 [Report Only] Refused to frame 'https://mozillathimblelivepreview.net/bramble/dist/' because it violates the following Content Security Policy directive: "frame-src 'self' https://docs.google.com https://mozillathimblelivepreview.net/bramble https://login.persona.org".
from brackets.
The worst ones are the Refused to evaluate a string as JavaScript
errors. I'm not sure how we can get around that, but a properly protected site would lock that down.
from brackets.
Everything else I can deal with. Should we allow unsafe-eval? @jbuck What do you think?
from brackets.
Ideally we don't, but I don't know if that's possible. I defer to you!
from brackets.
Related Issues (20)
- poststart script not running HOT 5
- Drop xorigin.js and dependencies.js to reduce startup time, number of requests HOT 2
- Make file and archive size limits configurable HOT 1
- Don't add menu item for Show Whitespace extension HOT 6
- Refreshing FileSystemCache blob urls does not work for linked CSS files HOT 3
- Image Filters - Automatically update swatches on image save
- Failed at the [email protected] build script 'grunt build-browser HOT 2
- Missing submodule for gh-pages build HOT 1
- make console fall through to the real console
- Let users make unique rooms while collaborating on brackets HOT 2
- Shift collaboration to file system level HOT 1
- Do you need an automated code style review tool?
- Create boilerplate InlineEditor component HOT 2
- improvements to the font preview HOT 1
- incorrect upperlimit in imageresizer HOT 4
- Add font "Courier New" to sourceFontFamily
- Remove adobe guideline when creating an issue HOT 5
- Why npm run production get compressed files?
- Wiki changes
- Want to add Default folder in Directory
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from brackets.