Skip to content

Constrain frame-src CSP to only allow the playground and youtube embeds #528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 30, 2021
Merged

Constrain frame-src CSP to only allow the playground and youtube embeds #528

merged 3 commits into from
Sep 30, 2021

Conversation

@aomarks
Copy link
Member

@aomarks aomarks commented Sep 28, 2021

Part of #517

@github-actions
Copy link

github-actions bot commented Sep 28, 2021
edited
Loading

A live preview of this PR will be available at the URL(s) below.
The latest URL will be appended to this comment on each push.
Each build takes ~5-10 minutes, and will 404 until finished.

https://pr528-7c13f2d---lit-dev-5ftespv5na-uc.a.run.app/
https://pr528-ed0d0d9---lit-dev-5ftespv5na-uc.a.run.app/
https://pr528-e3adbf2---lit-dev-5ftespv5na-uc.a.run.app/
https://pr528-df494bb---lit-dev-5ftespv5na-uc.a.run.app/
https://pr528-e248987---lit-dev-5ftespv5na-uc.a.run.app/

AndrewJakubowicz
AndrewJakubowicz approved these changes Sep 29, 2021
View reviewed changes
Copy link
Contributor

@AndrewJakubowicz AndrewJakubowicz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I manually checked some references and ran locally. Not sure that running this locally exercises the changes though.

packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts
// In dev mode, http: is needed for http://localhost Playground iframes.
`frame-src https:${opts.devMode ? ' http:' : ''}`,
// Playground previews and embedded YouTube videos.
`frame-src ${opts.playgroundPreviewOrigin} https://www.youtube-nocookie.com/`,
Copy link
Contributor

@AndrewJakubowicz AndrewJakubowicz Sep 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL: youtube-nocookie

@aomarks aomarks force-pushed the csp-remove-unsafe-inline branch from 24e9c6f to 0b7b3dd Compare September 30, 2021 00:24
Base automatically changed from csp-remove-unsafe-inline to main September 30, 2021 01:08
@aomarks aomarks merged commit 33d328b into main Sep 30, 2021
@aomarks aomarks deleted the csp-frame-src branch September 30, 2021 01:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndrewJakubowicz AndrewJakubowicz AndrewJakubowicz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aomarks @AndrewJakubowicz