-
-
Notifications
You must be signed in to change notification settings - Fork 779
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Latex-Support plugin doesn't implement CSP rules #6200
Comments
Thanks for bringing up this issue. Please use the issue tracker of this extension: https://github.com/aledeg/xExtension-LatexSupport/issues (Ping @aledeg ) |
Hi! I am not intended to use this issue tracker. However, the latest commit of that plugin is 3 years ago. I have no way but to ask here. And this issue can be general for others who developing plugins or inserting something. I hope you can answer it if available. |
I thought that the issue tracker of this extension is available for everyone. I apologize. This extension uses inline code that is prohibited by the CSP (Content security policy) of FreshRSS. It is an important security layer. The fix needs to be done by the extension itself. Could you please give some example feeds with LaTeX code? It would help to understand the issue better. |
Fine. You can try this feed with a CSS selector as |
(I rather doubt I have any special permissions there, opened one at aledeg/xExtension-LatexSupport#3.) |
any help? |
I'll look into that |
There was no issue so far. There is no need to change when it's working. That's why there was no commit. |
Sorry. I beg to differ. Have you tried my feed yet? How could you say there was no issue? The console errors are almost bombarded. Or are you using very old freshrss? |
There was no issue so far. I will look into your feed. |
Please paste your feed configuration (screenshot for instance). I cannot add it on my instance with the limited information I have. |
Here. Tks! |
It's not really a CSP problem. It's how extensions add scripts. Mathjax scripts load other scripts by using their relative paths. That not how extensions work in FreshRSS. The file html.js is not loaded. I guess that nobody had a problem with that before. I certainly don't. It's under investigation. |
@Alkarex Is there a way to alter the CSP from an extension? I can make this extension work but I need to tweak the CSP rules. Thank you |
Thanks for your help! If we fail to alter the CSP by an extension, can the user alter the CSP by rewriting the volumes:
- ./FreshRSS.php:/var/www/FreshRSS/app/FreshRSS.php |
@sherlcok314159 The user way to alter the CSP is at Web server level (e.g. Apache), not at PHP level, which will fail at each FreshRSS update. @aledeg So far, controllers have access to a method to redefine CSP: FreshRSS/lib/Minz/ActionController.php Lines 75 to 95 in b5445e1
I have not checked how practical this is for extensions, but that could be extended if needed (I will be with intermittent Internet connectivity the coming two weeks) |
Thank you for your answer. |
Thanks for your help again!!! |
Hi, aledeg, any update? Is there anything I can help with? :-) |
I did not have time to look into it. But I will. @Alkarex I think we might need something to interact with the CSP directly from the extension. Probably a hook is a way to go. If you think this is a good idea, I can work on that. If you don't, what do you have in mind? Thank you! |
@aledeg A hook sounds like a possibility, yes. Another approach could be to add a method to the base extension class, if needed. |
@sherlcok314159 there is a fix to use the library from a CDN. You need the |
The LaTeX JS probably requires inline styles to render the math and the CSP rules disable that. I'm not really sure what disabling inline styles is good for at all tbh, but that aside. But what doesn't work about unsafe-inline exactly? |
That's the weird thing. When the rules are not authorized it works (see first capture). But it does not work when the rules are authorized (see second capture). I am lost :) |
Can we just let the user decide whether to open these CSP rules? If nothing is blocked, things should be fine. |
Any update please? |
see #6437 (comment) |
Unsafe is overstating it a bit imho. :-) All |
Describe the bug
Latex-Support plugin does not work. It seems like the old latex plugin does not consider CSP rules.
To Reproduce
Just install the latex plugin at here and then you will find the error.
Expected behavior
It should work smoothly.
Screenshots
None of latex is rendered.
Environment information (please complete the following information):
The text was updated successfully, but these errors were encountered: