New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #24062: Implementing CSP headers without duplicating Lift scripts #5342
Fixes #24062: Implementing CSP headers without duplicating Lift scripts #5342
Conversation
…t scripts Fixes #24062: Implementing CSP headers without duplicating Lift scripts
PR updated with a new commit |
…ing Lift scripts Fixes #24062: Implementing CSP headers without duplicating Lift scripts
PR updated with a new commit |
…uplicating Lift scripts Fixes #24062: Implementing CSP headers without duplicating Lift scripts
PR updated with a new commit |
…thout duplicating Lift scripts Fixes #24062: Implementing CSP headers without duplicating Lift scripts
PR updated with a new commit |
…ders without duplicating Lift scripts Fixes #24062: Implementing CSP headers without duplicating Lift scripts
PR updated with a new commit |
…CSP headers without duplicating Lift scripts Fixes #24062: Implementing CSP headers without duplicating Lift scripts
PR updated with a new commit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No real idea about performances, but it looks like the Correct Way to do it in lift.
Headers seems OK with no js error and no duplicate.
LGTM 👍
This PR is not mergeable to upper versions. |
https://issues.rudder.io/issues/24062
One of a few solutions to remove the scripts appended to the HTML page by Lift : use the response byte array. The only straightforward way is to make use of mutability (array copying here) because Lift only provides us the final response (which is a case class).Lift has a mutable partial function
convertResponse
which we can re-assign to intercept the script if it contains duplicates, then remove the duplicates.There is also some fix in the 2nd commit for the healthcheck page, which cannot have 'onclick' event handlers as from CSP restrictions...Lift has a boolean attribute
extractInlineJavaScript
that, when the value is true, allows to include all inline Javascript into the lift page script (which already have a nonce). So we can actually leaveonclick
handlers now and Lift will do the rewrite !