Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Contenct-Security-Policy #136

Closed
enumag opened this issue Feb 15, 2016 · 6 comments
Closed

Contenct-Security-Policy #136

enumag opened this issue Feb 15, 2016 · 6 comments

Comments

@enumag
Copy link
Contributor

@enumag enumag commented Feb 15, 2016

I'm currently experimenting with Content-Security-Policy and sure enough Tracy doesn't work unless both 'unsafe-inline' and 'unsafe-eval' are allowed. I can enable them for development only of course but I'd like to avoid it. Enabling It could easily lead me to a situation where I miss some real CSP violation because of it and push it to production.

@dg

This comment has been minimized.

Copy link
Member

@dg dg commented Feb 15, 2016

For checking whether you miss some real CSP violation you can use header Content-Security-Policy-Report-Only.

@enumag

This comment has been minimized.

Copy link
Contributor Author

@enumag enumag commented Feb 15, 2016

@dg I'm aware except it will report Tracy violations as well and I didn't find any way to filter them out to keep only the real ones.

@dg

This comment has been minimized.

Copy link
Member

@dg dg commented Feb 15, 2016

Tracy bar would sometime in the future work without inline and eval #81, while Bluescreen will require unsafe-inline always. This can be solved only using CSP property nonce (in the meantime it may be used by Bar too). But nonce is IMHO not supported by any browser.

Hmm, it seems that nonce is supported by Firefox and Chome http://caniuse.com/#feat=contentsecuritypolicy2

@enumag

This comment has been minimized.

Copy link
Contributor Author

@enumag enumag commented Feb 15, 2016

According to Can I use it should work in Firefox and Chrome but I didn't test it yet.

@dg

This comment has been minimized.

Copy link
Member

@dg dg commented Feb 15, 2016

So feel free to send PR :-)

@spaze

This comment has been minimized.

Copy link
Contributor

@spaze spaze commented Jan 16, 2017

@dg Thanks for the fix, it's quite clever to fetch the nonce from the response headers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.