New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow Gatsby to run with a CSP without unsafe-inline. #3758

Closed
chuckharmston opened this Issue Jan 28, 2018 · 4 comments

Comments

Projects
None yet
5 participants
@chuckharmston

chuckharmston commented Jan 28, 2018

In order to use Gatsby with a CSP, the inline CSS and JavaScript it produces requires it to be run with unsafe-inline, which renders it vulnerable to a broad swath of attacks and generally makes the CSP worthless.

There are two ways to permit this:

  1. By allowing generated assets to be loaded as external assets, so origins can be used to control this.
  2. By using strict-dynamic and hashes of the content of each generated file or inline resource. This provides slightly better security, but is also more complex and rigid. Ideally in this case, the generated CSP is inserted as a <meta> tag and the same CSP is inserted into gatsby-plugin-netlify's generated _headers file.

I'd favor #1 as opt-in behavior for its flexibility. It would require more requests, but H/2's multiplexing reduces the penalty for that.

@zionis137

This comment has been minimized.

Contributor

zionis137 commented Jan 29, 2018

There are some related issues which go in the 2. direction:

Ideally the CSP should be opt-out, the 2. way does not require http/2 to be efficient.

@jorispz

This comment has been minimized.

jorispz commented Apr 6, 2018

Would it be terribly difficult to make option 1 work? From my (very limited) perspective it would seem the easier route, at the expense of a few requests more.

@KyleAMathews

This comment has been minimized.

Contributor

KyleAMathews commented Sep 8, 2018

Due to the high volume of issues, we're closing out older ones without recent activity. Please open a new issue if you need help!

@simonlc

This comment has been minimized.

simonlc commented Oct 13, 2018

The only problem with option 2 is it will not work with other deployments. In my opinion there should be an option for having zero inlined scripts/code. Option 2 is favorable however if you do have a supported host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment