New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a strict Content-Security-Policy (CSP) #1197
base: dev
Are you sure you want to change the base?
Conversation
@surma This is ready for your review! |
The initial load seems to work fine, but once you click an image, the app breaks: I am pretty sure that we actually have some fun @maudnals Can we allow eval-like stuff in workers only somehow? |
That should be possible to disable via |
Thanks everyone! @RReverser Are you suggesting to set
Not that I know of, I'll check in with @lweichselbaum. One alternative here in case the emscripten flag change isn't viable would be to add |
Happy to start with this to land this PR and then explore @RReverser’s suggestion + removing |
@surma Sounds good to me! I've just pushed that change ( |
src/static-build/utils.tsx
Outdated
const strictCsp = StrictCsp.getStrictCsp(scriptHashes, false, true); | ||
// enableTrustedTypes: false, enableBrowserFallbacks: true | ||
// enableUnsafeEval: true, to accomodate for uses of eval by emscripten. Enabling eval makes the CSP a bit less secure | ||
const strictCsp = StrictCsp.getStrictCsp(scriptHashes, false, true, true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a drive-by: standalone boolean parameters are a bit of an API smell as they are not self-explanatory.
If you can, I’d recommend refactoring it into an options object like so
const strictCsp = StrictCsp.getStrictCsp(scriptHashes, {
enabledTrustedTypes: false,
enableBrowserFallbacks: true,
enableUnsafeEval: true
});
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes thank you, the options object is way better. Done!
(the strict-csp package is also republished with this change)
Hi folks, is this something you'd want to merge? |
Surma was the main reviewer on this PR, but he's no longer with us, so not sure how to proceed. @surma do you still want to do reviews on this repo? |
Leverage the strict-csp npm package to:
meta
tag in the Squoosh page.Try it out
npm i
)npm run dev
meta
tag.This code uses strict-csp. What is it?
See strict-csp.
One of the goals of this is to experiment with strict-CSP and see whether it can cause any issue in a real application.
Yes, this means that Squoosh is used as a guinea-pig web application for this library⏤if that's not something desirable anymore because usage increased since that idea was first discussed, please let's talk!