Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add content security policy #137

Merged
merged 6 commits into from
Jan 27, 2023
Merged

Add content security policy #137

merged 6 commits into from
Jan 27, 2023

Conversation

mgreminger
Copy link
Owner

@mgreminger mgreminger commented Jan 22, 2023
edited
Loading

Prevents inline javascript and cross site scripting.

This breaks live reload in local development. Will move csp to _worker.ts to allow different csp for dev and production.

Current exceptions:

  • font-src * for carbon components that use IBM CDN for fonts (will look into bundling fonts with site instead)
  • style-src 'unsafe-inline' required for plotly.js ( see this plotly issue )
  • image-src * currently users can paste image links into quill editor, will look into disabling this capability
  • image-src data: required if user inserts image as base64 image into quill editor
  • image-src blob: needed when plotly.js downloads plot as png

@mgreminger
Add content security policy
62488cd 
Prevents inline javascript and cross site scripting.

This breaks live reload in local development. Will move csp to _wrangler.ts to allow  different csp for dev and production.

Current exceptions:
font-src * for carbon components that use IBM CDN for fonts (will look into bundling fonts with site instead)
style-src 'unsafe-inline' required for plotlyjs
image-src * currently users can paste image links into quill editor, will look into disabling this capability
image-src data: required if user pastes image into quill editor
image-src blob: needed when plotlyjs downloads plot as png
@mgreminger
Merge branch 'main' into csp
b425d96
@mgreminger
Remove font exception for CSP
918f14e 
Fonts are now bundled after merging #139
@mgreminger
Set CSP at worker level
f3b0f3a 
This makes it easy to have a different CSP for dev mode to enable live reload.
@mgreminger
fix: update path to svelte tsconfig.json
5bf4a89 
This silences some TS errors
@mgreminger
refactor: no longer hard code spaUrl for sheet URLS
6e8b4a9 
Use origin instead. Doesn't really impact anything except for the URL's stored in the history since front end was using getHash for everything anyway
@mgreminger
Copy link
Owner Author

Merging #139 allowed for the removal of the font exception. The following CSP exceptions are still in place:

  • style-src 'unsafe-inline' required for plotly.js
  • image-src * quill editor allows users to paste image URL's
  • image-src data: required if user inserts image as base64 image into quill editor
  • image-src blob: needed when plotly.js downloads plot as png

@mgreminger mgreminger merged commit be4212f into main Jan 27, 2023
@mgreminger mgreminger deleted the csp branch January 27, 2023 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mgreminger