Skip to content

Removed inline javascript and style code to support Content Security Policy #382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
markstory merged 6 commits into from
Oct 11, 2015
Merged

Removed inline javascript and style code to support Content Security Policy #382

markstory merged 6 commits into from
Oct 11, 2015

Conversation

@TheFRedFox
Copy link
Contributor

@TheFRedFox TheFRedFox commented Oct 6, 2015

Based on the issue #7511 in cakephp repo, I removed inline javascript and style code and replace them with code in separated js resp. css files.
So DebugKit is (hopefully) fully supported for Content Security Policy. DebugKit also set its own Content-Security-Policy, so it should be guaranteed that everything can be loaded by DebugKit.

@TheFRedFox
changes to support Content Security Policy, separate inline javascrip…
3a33ffa 
…t and style code
@TheFRedFox
removes former code
9d43b06
@TheFRedFox
removes linking of a not existing css file
c41cb78 
adds explicit Content Security Policy header setting which are needed to load DebugKit correctly (fonts.googleapis.com and fonts.gstatic.com)
@TheFRedFox TheFRedFox mentioned this pull request Oct 6, 2015
Closed
@markstory markstory added this to the 3.1.7 milestone Oct 7, 2015
markstory
markstory reviewed Oct 7, 2015
View reviewed changes
webroot/js/debug_kit.js Outdated
Copy link
Member

@markstory markstory Oct 7, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These PHP tags look wrong.

Copy link
Contributor

@Marlinc Marlinc Oct 7, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably has to be elem.getAttribute("data-id");.

Copy link
Contributor Author

@TheFRedFox TheFRedFox Oct 7, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh yeah, holy ... 😄 Interesting that it is working nevertheless. ^^ I will fix it.

Edith says: Ok, changed that. A new data attribute at the script tag is created for the toolbar id and is gotten by elem.getAttribute("data-id") like Marlinc said already. 😉

@markstory markstory self-assigned this Oct 7, 2015
@markstory
Copy link
Member

markstory commented Oct 8, 2015

So I noticed a few regressions that will need to be figured out before this can be merged:

  • Syntax highlighting in the SQL panel uses inline styles and is currently broken.
  • Waterfall chart in the Timer panel uses inline styles and is currently broken.

Other than these issues the changes are looking good.

@TheFRedFox
Copy link
Contributor Author

TheFRedFox commented Oct 8, 2015

@markstory I fixed Syntax highlighting as we can just separate all styles in a css file and load the css file in the sql_log_panel.ctp directly.
BUT
The timer panel give me headache! As we can't just load the script file in the timer_panel.ctp directly because of eval restrictions of CSP. Just separating it in an existing js file is possible, but it will definitely completely restrict js usage for new user's panels.

To be honest ... as it is in an own iframe with it's own CSP restrictions and as it is just supposed to be used in development ... I would suggest just to allow inline script, inline style and inline eval, so everything can be load in DebugKit. (or maybe we can just force allow everything for CSP for the DebugKit iframe 😉)

Maybe you want to know what is definitely needed to support CSP then. I will comment it in the code. But in general: Everything what is done in the original page.

TheFRedFox
TheFRedFox reviewed Oct 8, 2015
View reviewed changes
src/Routing/Filter/DebugBarFilter.php
Copy link
Contributor Author

@TheFRedFox TheFRedFox Oct 8, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NEEDED] This is absolutely needed for CSP support inside the original page.

@markstory
Copy link
Member

markstory commented Oct 9, 2015

I think the current state where debug kit can be loaded into a csp page, but does not use csp itself is a good approach to take. 👍

@TheFRedFox
Update RequestsController.php
c214f8c 
Unsets the Content-Security-Policy "inside" the iframe. The iframe will be loaded with user's CSP, but doesn't need any CSP inside the iframe as it will just be used in development. Force unset, as it could be set anywhere else in the user's original application.
@TheFRedFox
Copy link
Contributor Author

TheFRedFox commented Oct 9, 2015

Ok .. I just changed it so the CSP header will be force unset for the possibility that the user set the CSP header somewhere else in the original application (e.g. directly in bootstrap).
It should work now with everything inside the iframe. ;)

markstory added a commit that referenced this pull request Oct 11, 2015
@markstory
Merge pull request #382 from TheFRedFox/master
83467f8 
Removed inline javascript and style code to support Content Security Policy
@markstory markstory merged commit 83467f8 into cakephp:master Oct 11, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@markstory markstory

Labels

None yet

Projects

None yet

Milestone

3.1.7

Development

Successfully merging this pull request may close these issues.

4 participants

@TheFRedFox @markstory @dakota @Marlinc