Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Clarifies CSP usage with file:// resources #14768

Merged
merged 1 commit into from Nov 28, 2018

Conversation

Projects
None yet
4 participants
@Slapbox
Copy link
Contributor

commented Sep 22, 2018

Description of Change
Checklist
  • relevant documentation is changed or added
  • PR title follows semantic commit guidelines
Release Notes

Notes: Previously it was not noted that the HTTP header method could not work with the file:// protocol.

@Slapbox Slapbox requested a review from as a code owner Sep 22, 2018

@welcome

This comment has been minimized.

Copy link

commented Sep 22, 2018

💖 Thanks for opening this pull request! 💖

We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix.

Examples of commit messages with semantic prefixes:

  • fix: don't overwrite prevent_default if default wasn't prevented
  • feat: add app.isPackaged() method
  • docs: app.isDefaultProtocolClient is now available on Linux

Things that will help get your PR across the finish line:

  • Follow the JavaScript, C++, and Python coding style.
  • Run npm run lint locally to catch formatting errors earlier.
  • Document any user-facing changes you've made following the documentation styleguide.
  • Include tests when adding/changing behavior.
  • Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

@Slapbox Slapbox referenced this pull request Sep 22, 2018

Merged

doc: add CSP examples #13167

@@ -370,8 +370,7 @@ session.defaultSession.webRequest.onHeadersReceived((details, callback) => {

### CSP Meta Tag

CSP's preferred delivery mechanism is an HTTP header. It can be useful, however,
to set a policy on a page directly in the markup using a `<meta>` tag:
CSP's preferred delivery mechanism is an HTTP header, however it is not possible to use this method when loading a resource using the `file://` protocol. It can be useful in some cases, such as using the `file://` protocol, to set a policy on a page directly in the markup using a `<meta>` tag:

This comment has been minimized.

Copy link
@busticated

busticated Sep 22, 2018

good stuff 👏

i think it's worth also noting a few other things:

  1. the example usage of onHeadersReceived() is wrong - specifically the { responseHeaders: default-src 'none' } format should be 👉 https://stackoverflow.com/a/52243138/579167 (i think?)
  2. CSP headers only need to be set for Content-Type: text/html (and application/xhtml+xml and application/xml - anything that generates an interactive document) responses

This comment has been minimized.

Copy link
@codebytere

codebytere Oct 10, 2018

Member

@Slapbox agree with the above; if you could address these comments we can look to getting this merged!

This comment has been minimized.

Copy link
@Slapbox

Slapbox Oct 10, 2018

Author Contributor

@codebytere @busticated thanks for your reviews. I'd be happy to update this, but because I've never actually set headers this way due to exclusive use of the file:// protocol in my projects, I'd be worried about updating the docs with inaccurate information. Can anyone confirm the below is accurate?

the example usage of onHeadersReceived() is wrong - specifically the { responseHeaders:default-src 'none'} format should be point_right https://stackoverflow.com/a/52243138/579167 (i think?)

This comment has been minimized.

Copy link
@zcbenz

zcbenz Nov 28, 2018

Member

The other notes are additional to other chapters, and do not conflict with this PR which only adds new content to "CSP Meta Tag", please start a new PR to add new content.

@zcbenz

zcbenz approved these changes Nov 28, 2018

@zcbenz zcbenz force-pushed the Slapbox:patch-2 branch from 7d3e702 to ee294c8 Nov 28, 2018

@zcbenz zcbenz merged commit d7d4b86 into electron:master Nov 28, 2018

21 of 23 checks passed

ci/circleci: osx-testing-tests Your tests failed on CircleCI
Details
ci/circleci: mas-testing-tests CircleCI is running your tests
Details
Absolute Zero
Artifact Comparison No Changes
Details
Semantic Pull Request ready to be squashed
Details
WIP ready for review
Details
appveyor: win-ia32-testing-pr AppVeyor build succeeded
Details
appveyor: win-x64-testing-pr AppVeyor build succeeded
Details
ci/circleci: linux-arm-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-arm-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-arm64-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-arm64-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-checkout Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-testing-tests Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-testing-tests Your tests passed on CircleCI!
Details
ci/circleci: mas-testing Your tests passed on CircleCI!
Details
ci/circleci: osx-testing Your tests passed on CircleCI!
Details
electron-lint Build #20181128.6 succeeded
Details
release-notes Release notes found
@release-clerk

This comment has been minimized.

Copy link

commented Nov 28, 2018

Release Notes Persisted

Previously it was not noted that the HTTP header method could not work with the file:// protocol.

@welcome

This comment has been minimized.

Copy link

commented Nov 28, 2018

Congrats on merging your first pull request! 🎉🎉🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.