-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Embed CSP meta tag and stop using script-src unsafe-inline #12258
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great overall!
Please file a new issue for the unsafe-eval
if we don't have one already (I'd like to use something separate from #3632 at least).
Thanks also for the font-src
fix, and splitting child-src
to frame-src
and worker-src
.
Safari doesn't yet support worker-src
... Maybe it's best to keep child-src
for older browsers, but also have frame-src
and worker-src
for newer ones?
…or backwards compat and split onto multiple lines for readability Signed-off-by: Michael Telatynski <[email protected]>
Co-Authored-By: J. Ryan Stinnett <[email protected]>
Slightly off-topic, just in case someone wonders (like I did) what happens if CSP is defined as HTTP header and meta tag (which probably happens for self-hosted riot instances with CSP via HTTP header with this change):
|
Right, we'll remove the HTTP specified ones once this PR has been deployed to release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thanks! 😁
default-src 'none'; | ||
style-src 'self' 'unsafe-inline'; | ||
script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; | ||
img-src * blob: data:; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why img-src *
?
At the time I've suggested one it did seem to work without that (in my tests). Maybe I did not use/test some third-party image embedding loading?
That said, loading images directly from third-party servers may/should possibly be avoided due to privacy concerns, should not it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it was copied from the CSP header served at riot.im/app
I did not evaluate img-src, feel free to open an issue for it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done: #12304
* Remove allchange dependency Signed-off-by: Michael Telatynski <[email protected]> * Remove stale release scripts Signed-off-by: Michael Telatynski <[email protected]> * Update pull request template to remove allchange behaviours Signed-off-by: Michael Telatynski <[email protected]> --------- Signed-off-by: Michael Telatynski <[email protected]>
Fixes #3632