Update Glimpse.axd to CSP compliant #658

merged 4 commits into from Dec 18, 2013


None yet
2 participants

CGijbels commented Nov 29, 2013

This pull contains all the necessary changes to make the Glimpse.axd full CSP Compliant and with full I mean that Glimpse.axd will run when the CSP header Content-Security-Policy is set to default-src 'self'

There have been some new resources defined, of which the LogosResource is one to have a look at because I would like the resource returned by the LogoResource to be returned (it already does by the way) by the LogosResource. Creating one Resource for each logo is a little bit overkill.

I also added a new feature to the ConfigurationResource, in a generic way, that allows the ConfigurationResource to indicate the resources it depends on (based on resource requests made in the HTML returned by that ConfigurationResource). This was needed to keep the new security approach to the Default resource working, because now there are other resources that need the same treatment since they are "part" of the ConfigurationResource

It also contains a little test page which shows that the Glimpse Client is not CSP Compliant with the CSP header mentioned above, but if we add style-src 'unsafe-inline' to the CSP header above, then it will work. So basically there is an issue with inline styles, which are used all over the place and might be hard to fix all of them. Also the CSS can't be part of the JS, because it is added as inline style to the HEAD of the document, so it must be returned separately.

@avanderhoorn I moved all of the embedded resources into a separate folder "EmbeddedResources" except for the glimpse.js and the Resources.resx files, they remain, for now, on the root

CGijbels added some commits Nov 29, 2013

Added a LogosResource to handle multiple logos
- Refactored the FileResource
- Moved all (except for resources.resx and glimpse.js) to
EmbeddedResources folder
Added option for resource to define resource deps
Since the ConfigurationResource, which is the Default resource as well,
depends on other resources to work properly, the option to define these
possibilities has been added. This is needed to make sure the
GlimpseRuntime can apply the same security check to those resources as
Fixes #631 Made Glimpse.axd CSP Compliant
- Added a test page for the Glimpse Client and that is still not CSP
Compliant especially due to styles being inlined.
- To test this I've added the "Content-Security-Policy", = "default-src
'self'" header for the glimpse.axd and that test page in the MVC3 Music
Store Sample. Although it is to restrictive for the test page containing
the Glimpse panel. To make that work "style-src 'unsafe-inline'" must be
added to the header as well.

@ghost ghost assigned avanderhoorn Dec 18, 2013

avanderhoorn added a commit that referenced this pull request Dec 18, 2013

@avanderhoorn avanderhoorn merged commit 6c5adaf into master Dec 18, 2013

@nikmd23 nikmd23 deleted the no631-make-glimpse-axd-csp-compliant branch Jul 16, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment