Skip to content

Implemented auto-adding required ContentSecurityPolicy rules #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 30, 2015
Merged

Implemented auto-adding required ContentSecurityPolicy rules #107

merged 1 commit into from
Jan 30, 2015

Conversation

begedin
Copy link
Contributor

@begedin begedin commented Jan 27, 2015

Will resolve #101

I decided to go with option 3 just to show you what I mean, but now that I have it (and it works properly), I'm thinking this might be considered bad add-on behavior, since it basically opens up potential security issues without the user actually knowing this.

To elaborate, this will not change config\environment.js physically on the disk. Instead, it will add the rules required by the add-on into the config object in memory. It's way more robust than option 2 in the issue description, but as I said, there may be a security concern.

On the other hand, option 2 is more transparent, but also much less robust. It has to deal with all the same issues that pull request #106 has listed, slightly increased by the fact that there's more text to add in this one. That being said, I'm also leaning towards option 2 now and it should be a quick thing to abandon the current approach and implement it that way.

begedin
begedin reviewed Jan 27, 2015
View reviewed changes
index.js
requiredCSP[propertyName].split(' ').forEach(mergeValues);
}

return config;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

baseConfig is what we got from the app. We merge that with what is needed by the add-on and then return the merged object. All of this happens in memory and nothing is written in the actual config file.

@begedin begedin self-assigned this Jan 27, 2015
@begedin begedin mentioned this pull request Jan 28, 2015
Open
@begedin
Copy link
Contributor Author

begedin commented Jan 30, 2015

@venkatd: Based on your comment #101 (comment) and my reply #101 (comment).

I feel pretty confident this is safe to merge. If it turns out I was wrong, the changes are limited to one file, so it's easily reverted.

begedin added a commit that referenced this pull request Jan 30, 2015
@begedin
Merge pull request #107 from coderly/auto-add-security-policy-rules
cfe1b0c 
Implemented auto-adding required ContentSecurityPolicy rules
@begedin begedin merged commit cfe1b0c into master Jan 30, 2015
@begedin begedin deleted the auto-add-security-policy-rules branch January 30, 2015 20:31
@begedin begedin mentioned this pull request Jan 30, 2015
Closed
This was referenced Feb 23, 2015
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@begedin begedin

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Find solution for content-security-policy configuration not being set correctly by the user.
1 participant
@begedin