Browser requires unsafe Content-Security-Policy

[piotrekbator]

At the moment if I set up a CSP limiting script-src the browser won't work and the only way to make it work (AFAIK) is to add the 'unsafe-inline' option to the CSP. Which is... unsafe :D

The reason for that is that there's an inline script in the HTML served by the browser:

<script type="text/javascript">
  RubyEventStore.Browser.Elm.Main.init({
    flags: {
      /* ... */
    }
  });
</script>

I think that the solution would be to:

1. Provide the configuration hash (what's currently under flags) to a data attribute on <body /> for example; probably just dumped as JSON.
2. Move the init invocation to the main JS file: just add some code that looks for the data attribute, loads the settings from there and if they're found and sound, pass them to the init function.

I'm not sure if the current JS file that's used by the browser is ready for that or if that's even a good idea. But I'm quite confident that supporting a safe CSP should be handled.

And I'd be happy to do some work on that, just don't want to poke around blindly. Let me know if the path I'm suggesting is fine from your perspective and I'll try to prepare a PR.

[mostlyobvious]

To recap, that I understand it correctly:

• adding global CSP policy (for the whole site with the browser mounted in routes) to limit inline scripts prevents browser from working (there's inline script to init the browser)
• removing inline script and moving its contents to separate script file would pass global CSP policy that limits inline scripts

Out of curiosity, is there a middle ground, i.e. overriding CSP policy for some parts of the site, possibly doable with meta tags from browser-rendered HTML or from Rack middleware? (setting header just for the browser responses)

The solution you've proposed is sound, that is:

• moving configuration to data attributes on a dom element in main browser HTML document
• reading data attributes and passing them to Elm application flags in a separate JS file (i.e. https://github.com/RailsEventStore/rails_event_store/blob/0b653f60cee3ae6b73626ce09e2258c217329c25/ruby_event_store-browser/elm/src/index.js), where Elm.Main.init() will be called

It also makes exposing Elm application under window.RubyEventStore.Browser obsolete, which is a good thing.

For the reference: https://guide.elm-lang.org/webapps/

[piotrekbator]

Yeah, that's correct.

As for the middleground: I've not tested it but, when the CSP header is added on the HTTP server level (nginx in my case) I understand that there'd be no way to override it just for the browser. And even if that worked it would be more of a workaround than solution and it'd generate new problems: for example when to set this local CSP header - always, or just when we know that it's needed? If just when needed - how do we know that? A configuration option? That will require users to first encounter the bug, then successfully debug that it's caused by CSP, then find the option in docs and then fix it - not works out of the box experience exactly :)

So I'd much prefer a solution that complete does away with the problem and makes the browser just work even with CSP enabled.

If that's ok with you (and it sounds like it is), I'll give this a try in the near future and let come back with a PR.

[mostlyobvious]

If that's ok with you (and it sounds like it is), I'll give this a try in the near future and let come back with a PR.

Yes, please do 🙂

[mostlyobvious]

Closed via #1185