Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
bug 948151: Add permissive CSP #5002
Builds on PR #5001, which can be merged first to get the libraries into the base image.
CKEditor 4.5.10 still requires
The reporting view is copied from mozilla/bedrock, and it used to forward violation reports to Sentry. There were no tests to copy.
I enjoyed reviewing this, as it forced me to dig into and understand the CSP header. I first updated my Docker images (mainly to pickup the new Kuma base image containing the required
django-csp package), and then ran this locally with the following added to my
MDN_CONTRIBUTION=True MDN_CONTRIBUTION_CONFIRMATION_EMAIL=True CSP_ENABLE_MIDDLEWARE=True CSP_REPORT_ENABLE=True
I verified the
Content-Security-Policy header, and then wanted to test both the new CSP reporting endpoint as well as the need for some of the default CSP settings.
- I removed
CSP_STYLE_SRC, and verified that a POST to the CSP reporting endpoint was made with the proper details
- I removed
CSP_IMG_SRC, and again verified that the proper CSP violation was reported
- With everything back to normal, I logged in, and then noticed that I was getting a CSP violation for
img-srcdirective (which was triggered by the call to
i2.wp.comis an image CDN). I discovered that this was due to the fact that I was running in non-SSL mode. When I switched to SSL mode by adding
.envfile, the CSP violation disappeared.
- Remaining within SSL mode, I also verified the need for the
'unsafe-eval'directives added to the
wiki.translateendpoints, by removing them and ensuring that the proper CSP violation was reported for each endpoint.
This looks great and worked for me locally. I would like to eventually see all of the CSP reporting data embedded in our Sentry report, but if we decide to do that we can do that in a future PR. I assume the next step is to enable CSP but only in reporting mode, with these settings in an
CSP_ENABLE_MIDDLEWARE=True CSP_REPORT_ENABLE=True CSP_REPORT_ONLY=True
and then, over the course of a week or so, see if we've missed anything in terms of the individual CSP policy directives via the reports to Sentry?
I had similar problems with the gravatar images, but I think that's because the
Yes, that's my thought too, but start with reporting-only on staging, and make sure the Sentry integration works with a manageable number of reports, before we go reporting-only in production and turn on the fire hose. I've also had a decent experience running a similar configuration in local development, we may want to make that a default to catch issues before they get to production, once we have an enforced CSP.