GithubHelp home page GithubHelp logo

Enable CSP for thimble.wm.o about brackets HOT 12 CLOSED

mozilla avatar mozilla commented on August 23, 2024
Enable CSP for thimble.wm.o

from brackets.

Comments (12)

humphd avatar humphd commented on August 23, 2024

sedge/thimble.webmaker.org#14 fixes a bunch of 404s

from brackets.

humphd avatar humphd commented on August 23, 2024

sedge/thimble.webmaker.org#15 fixes 95% of the CSP warnings

from brackets.

humphd avatar humphd commented on August 23, 2024

So we're left with 2 issues in the console, neither of which is critical, but we should fix.

  1. We need to load the CSS/Fonts for the Filer dialogs, which requires doing a bower install in the extension's directory. We're not really using these dialogs yet, so that can be done later.

  2. The crap we get here:

The Content Security Policy 'connect-src 'self' http://*.log.optimizely.com https://*.log.optimizely.com wss://hub.togetherjs.com; default-src 'self'; frame-src 'self' https://docs.google.com https://mozillathimblelivepreview.net/previewloader.html https://login.persona.org; font-src 'self' https://togetherjs.com https://fonts.gstatic.com https://netdna.bootstrapcdn.com; img-src *; media-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://mozorg.cdn.mozilla.net http://*.newrelic.com https://*.newrelic.com https://cdn.optimizely.com https://ajax.googleapis.com https://mozorg.cdn.mozilla.net https://ssl.google-analytics.com https://www.youtube.com https://s.ytimg.com https://login.persona.org http://localhost:8811; style-src 'self' 'unsafe-inline' http://mozorg.cdn.mozilla.net https://ajax.googleapis.com https://fonts.googleapis.com https://mozorg.cdn.mozilla.net https://togetherjs.com https://netdna.bootstrapcdn.com;' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.

is because we don't have a place where these reports are going. We probably should. @jbuck, do you have a place where CSP reports are supposed to go for Webmaker? I want to suppress all this noise about not having a report-uri directive.

from brackets.

jbuck avatar jbuck commented on August 23, 2024

@humphd we could enable CSP on thimble, I guess? :D

from brackets.

humphd avatar humphd commented on August 23, 2024

Have you guys done that elsewhere? How was it? What will it mean for things the user loads via the editor?

from brackets.

jbuck avatar jbuck commented on August 23, 2024

We have it enabled on some of our sites. It shouldn't mean anything for the user, because CSP only applies to the editor context, not the rendering iframe. Removing CSP Report-only mode is also option, if enforcing CSP is too difficult.

from brackets.

humphd avatar humphd commented on August 23, 2024

Except that the way we isolate the different parts of the app with Bramble is different. Instead of Thimble holding an editor and a preview iframe, we put the editor + preview in another iframe (so Thimble hosts the Brackets iframe which holds a preview iframe). So I think it might cause us some issues. Let's follow-up next week on irc.

from brackets.

humphd avatar humphd commented on August 23, 2024

Let's finish this off by trying to turn on CSP, now that @sedge has done the domain boundaries between the editor/preview and app.

from brackets.

humphd avatar humphd commented on August 23, 2024

This might be a bit tricky to do at the moment:

bramble.mofostaging.net/:22 [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' http://mozorg.cdn.mozilla.net https://ajax.googleapis.com https://fonts.googleapis.com https://mozorg.cdn.mozilla.net https://togetherjs.com https://netdna.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

3webmakerLogin.min.js:5 [Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' http://mozorg.cdn.mozilla.net http://*.newrelic.com https://*.newrelic.com https://ajax.googleapis.com https://mozorg.cdn.mozilla.net https://www.google-analytics.com https://login.persona.org undefined".

2about:blank:1 The Content Security Policy 'connect-src 'self' wss://hub.togetherjs.com; default-src 'self'; frame-src 'self' https://docs.google.com https://mozillathimblelivepreview.net/bramble https://login.persona.org; font-src 'self' https://togetherjs.com https://fonts.gstatic.com https://netdna.bootstrapcdn.com; img-src *; media-src *; script-src 'self' http://mozorg.cdn.mozilla.net http://*.newrelic.com https://*.newrelic.com https://ajax.googleapis.com https://mozorg.cdn.mozilla.net https://www.google-analytics.com https://login.persona.org undefined; style-src 'self' http://mozorg.cdn.mozilla.net https://ajax.googleapis.com https://fonts.googleapis.com https://mozorg.cdn.mozilla.net https://togetherjs.com https://netdna.bootstrapcdn.com;' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
require-config.js:86 require.baseUrl is /friendlycode/js
6/friendlycode/vendor/underscore.min.js:30 [Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' http://mozorg.cdn.mozilla.net http://*.newrelic.com https://*.newrelic.com https://ajax.googleapis.com https://mozorg.cdn.mozilla.net https://www.google-analytics.com https://login.persona.org undefined".

3ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js:3 [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' http://mozorg.cdn.mozilla.net https://ajax.googleapis.com https://fonts.googleapis.com https://mozorg.cdn.mozilla.net https://togetherjs.com https://netdna.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js:3 The Content Security Policy 'connect-src 'self' wss://hub.togetherjs.com; default-src 'self'; frame-src 'self' https://docs.google.com https://mozillathimblelivepreview.net/bramble https://login.persona.org; font-src 'self' https://togetherjs.com https://fonts.gstatic.com https://netdna.bootstrapcdn.com; img-src *; media-src *; script-src 'self' http://mozorg.cdn.mozilla.net http://*.newrelic.com https://*.newrelic.com https://ajax.googleapis.com https://mozorg.cdn.mozilla.net https://www.google-analytics.com https://login.persona.org undefined; style-src 'self' http://mozorg.cdn.mozilla.net https://ajax.googleapis.com https://fonts.googleapis.com https://mozorg.cdn.mozilla.net https://togetherjs.com https://netdna.bootstrapcdn.com;' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js:3 [Report Only] Refused to frame 'https://mozillathimblelivepreview.net/bramble/dist' because it violates the following Content Security Policy directive: "frame-src 'self' https://docs.google.com https://mozillathimblelivepreview.net/bramble https://login.persona.org".

bramble.mofostaging.net/:1 [Report Only] Refused to frame 'https://mozillathimblelivepreview.net/bramble/dist/' because it violates the following Content Security Policy directive: "frame-src 'self' https://docs.google.com https://mozillathimblelivepreview.net/bramble https://login.persona.org".

from brackets.

sedge avatar sedge commented on August 23, 2024

The worst ones are the Refused to evaluate a string as JavaScript errors. I'm not sure how we can get around that, but a properly protected site would lock that down.

from brackets.

sedge avatar sedge commented on August 23, 2024

Everything else I can deal with. Should we allow unsafe-eval? @jbuck What do you think?

from brackets.

jbuck avatar jbuck commented on August 23, 2024

Ideally we don't, but I don't know if that's possible. I defer to you!

from brackets.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.