Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a way to modify CSP rules within an extension #6246

Merged
merged 1 commit into from
Mar 30, 2024
Merged

Add a way to modify CSP rules within an extension #6246

merged 1 commit into from
Mar 30, 2024

Conversation

aledeg
Copy link
Member

@aledeg aledeg commented Mar 30, 2024

This will allow to change CSP rules to authorize the use of external scripts. We might need to add some safeguard since it will be virtually possible to load any script even malicious one.

Changes proposed in this pull request:

  • Add support to extension CSP rules

How to test the feature manually:

  1. Modify the CSP rules in an extension as described in the documentation
  2. Validate that the new rule is appended to the existing rules

Pull request checklist:

  • clear commit messages
  • code manually tested
  • unit tests written (optional if too hard)
  • documentation updated

Additional information can be found in the documentation.

@aledeg aledeg force-pushed the extension/csp-policies branch 2 times, most recently from ae4fcf1 to 069e7a2 Compare March 30, 2024 12:24
@aledeg
Add a way to modify CSP rules within an extension
069e7a2 
This will allow to change CSP rules to authorize the use of external scripts.
We might need to add some safeguard since it will be virtually possible to
load any script even malicious one.
@Alkarex Alkarex added this to the 1.24.0 milestone Mar 30, 2024
@Alkarex Alkarex merged commit 7da0e70 into FreshRSS:edge Mar 30, 2024
2 checks passed
@math-GH
Copy link
Contributor

math-GH commented Mar 30, 2024

Would it make sense to make it more transparent if an extension is adding external sources to the CSP?

@Alkarex
Copy link
Member

Alkarex commented Mar 31, 2024

Would it make sense to make it more transparent if an extension is adding external sources to the CSP?

Extensions can do worse things than editing the CSP, so while that could be nice if done in a light way, I do not think it is urgent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Extension 🔌 Security 🛡️
Projects
None yet
Milestone
1.24.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@aledeg @math-GH @Alkarex