ui: CSP Improvements #9847
Merged
ui: CSP Improvements #9847
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 3 commits
March 8, 2021 14:02
We used to have inline scripts in index.html in order to support embers filepath fingerprinting and our configurable rootURL. Instead of using inline scripts we use application/json plus a JSON blob to create a fake filesystem JSON blob/hash/map to hold all of the rootURL'ed fingerprinted file paths which we can then retrive later in non-inline scripts. We move our inlined polyfills script into the init.js external script, and we move the CodeMirror syntax highlighting configuration inline script into the main app itself - into the already existing CodeMirror initializer (this has been moved so we can lookup a service located document using ember's DI container)
|
🍒 If backport labels were added before merging, cherry-picking will start automatically. To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/338456. |
|
🍒✅ Cherry pick of commit 4147171 onto |
hashicorp-ci
pushed a commit
that referenced
this pull request
Mar 17, 2021
* Configure ember-auto-import so we can use a stricter CSP * Create a fake filesystem using JSON to avoid inline scripts in index We used to have inline scripts in index.html in order to support embers filepath fingerprinting and our configurable rootURL. Instead of using inline scripts we use application/json plus a JSON blob to create a fake filesystem JSON blob/hash/map to hold all of the rootURL'ed fingerprinted file paths which we can then retrive later in non-inline scripts. We move our inlined polyfills script into the init.js external script, and we move the CodeMirror syntax highlighting configuration inline script into the main app itself - into the already existing CodeMirror initializer (this has been moved so we can lookup a service located document using ember's DI container) * Set a strict-ish CSP policy during development
dizzyup
pushed a commit
that referenced
this pull request
Apr 21, 2021
* Configure ember-auto-import so we can use a stricter CSP * Create a fake filesystem using JSON to avoid inline scripts in index We used to have inline scripts in index.html in order to support embers filepath fingerprinting and our configurable rootURL. Instead of using inline scripts we use application/json plus a JSON blob to create a fake filesystem JSON blob/hash/map to hold all of the rootURL'ed fingerprinted file paths which we can then retrive later in non-inline scripts. We move our inlined polyfills script into the init.js external script, and we move the CodeMirror syntax highlighting configuration inline script into the main app itself - into the already existing CodeMirror initializer (this has been moved so we can lookup a service located document using ember's DI container) * Set a strict-ish CSP policy during development
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR allows folks to set a stricter CSP policy for the UI. Mainly by configuring
ember-auto-importto not requireunsafe-evaland by re-arranging things so we no longer need to use inline scripts for some of our stranger requirements (pre vendor polyfills and CodeMirror syntax highlight loading).We also set our development-time CSP to the strictest policy we can currently use so we are nudged if anything doesn't adhere to policy.
More details in the commit messages.
There are still some minor (inline CSS related) improvements we can still make here, but we now support the strictest JS related CSP available:
Removal of the
unsafe-inlinefor style/CSS is likely to be PRed at a later date