Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

💥 custom CSP will always extend Shopify domain and default development domain #1593

Merged
merged 3 commits into from Jan 5, 2024
Merged

💥 custom CSP will always extend Shopify domain and default development domain #1593

merged 3 commits into from Jan 5, 2024

Conversation

michenly
Copy link
Contributor

@michenly michenly commented Dec 21, 2023
edited

WHY are these changes introduced?

The CSP bug was found when using ngrok as public domain for local development (after #1591)

Without modifying anything you will find the following bug in browser
csp disabled override 1

The fix for this is to modify createContentSecurityPolicy options in app/entry.server.tsx which the user need to add in the public domain they are using follow by all the current defaults manually.

const {nonce, header, NonceProvider} = createContentSecurityPolicy(
  {
    connectSrc: [
        'wss://public-domain:*', 
        'http://localhost:*', 
        'ws://localhost:*', 
        'ws://127.0.0.1:*', 
    ],
  },
);

This is not easy to maintain, specially if the defaults ever change.

WHAT is this pull request doing?

This PR change the behaviour of createContentSecurityPolicy where the custom CSP pass in will no longer override the default domains.

The new behaviour will take the user generated options and add default policies on top of it.

HOW to test your changes?

Post-merge steps

Checklist

  • I've read the Contributing Guidelines
  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've added a changeset if this PR contains user-facing or noteworthy changes
  • I've added tests to cover my changes
  • I've added or updated the documentation

@michenly michenly force-pushed the mc-csp-disabled-override branch 2 times, most recently from 6285264 to f6ab545 Compare December 21, 2023 21:03
@michenly michenly marked this pull request as ready for review December 21, 2023 21:04
@michenly
Copy link
Contributor Author

I am pretty sure there are many more docs I need to update. Will figure it out soon!

@michenly michenly self-assigned this Dec 22, 2023
blittle
blittle reviewed Jan 3, 2024
View reviewed changes
.changeset/heavy-coins-tickle.md Outdated
'@shopify/hydrogen': patch
---

✨ add applyDefault option to createContentSecurityPolicy which allow use to add policy in front of the existing rules instead of overriding them. The default value of applyDefault option is false which is the current behaviour.
Copy link
Contributor

@blittle blittle Jan 3, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
✨ add applyDefault option to createContentSecurityPolicy which allow use to add policy in front of the existing rules instead of overriding them. The default value of applyDefault option is false which is the current behaviour.
✨ add `applyDefault` option to `createContentSecurityPolicy` which automatically adds Shopify domains to the content security policy, extending whatever rules are passed instead of overriding them. The default value of `applyDefault` option is false which is the current behavior.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually thinking about this more, I think almost always if the user provides a custom CSP, they will probably also want to keep the Shopify domains as well. So perhaps this should be default to true, or inverse it and default it to false. Sure it would be a breaking change, but it's relatively minor, and we can make a breaking change for the 2024-01 release. So now would be the time to do it. Thoughts?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@blittle 👍 true say. Since including Shopify domains really just allow more CSP, nothing should really break.
I will edit and make this PR a breaking change and use extending as the default.

@michenly @blittle
Update .changeset/heavy-coins-tickle.md
3ba3585 
Co-authored-by: Bret Little <bret.little@shopify.com>
@michenly michenly changed the title ✨ add applyDefault option to createContentSecurityPolicy 💥 custom CSP will always extend Shopify domain and default development domain Jan 3, 2024
@michenly michenly requested a review from a team January 5, 2024 15:34
@michenly michenly merged commit a69c21c into main Jan 5, 2024
10 checks passed
@michenly michenly deleted the mc-csp-disabled-override branch January 5, 2024 22:30
@shopify-github-actions-access shopify-github-actions-access bot mentioned this pull request Jan 5, 2024
Closed
@shopify-github-actions-access shopify-github-actions-access bot mentioned this pull request Jan 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blittle blittle blittle approved these changes

@wizardlyhel wizardlyhel Awaiting requested review from wizardlyhel

Assignees

@michenly michenly

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@michenly @blittle