Content Security Policy support. #876
Comments
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Could we do combine_js with data urls instead of an inline script? Still need eval though. |
I don't think that should change how CSP applies. If it does, it's a bug in On Mon, Nov 30, 2015 at 9:24 AM, Jeff Kaufman notifications@github.com
|
We need eval to:
OTOH it seems possible to implement a restricted form of combine_js which will pull together adjacent script tags by simply concatenating the files, and accepting the drawback that file2.js won't run if file1.js throws. Maybe as an option? This is possible but we don't have anyone available to work on this, and there are other issues with CSP as mentioned in the comment on "2 Oct 2014 at 7:52" In the meantime, I think you can't have both combine_js and eval-protection; you have to choose. |
CSP Level 2's |
Resources with SRI should set |
Is this something we should ask to be added to the spec? |
Some design notes: To highlight, the worst case for us is when CSS is affected by policy in HTML--- that sort of thing is really hard for us since:
There is a bit of a pragmatic upside, too: the actual CSP use in the wild seems to be considerably less tricky than it's capable off; most policies seem to be host-level, sometimes directory level. |
Is that statistic for mod_pagespeed users? Because I disabled mod_pagespeed as it compromised the security of my CSP. I expect the uptake of this mod by users who want to use CSP properly, will be significantly lower. It stands to reason that most mod_pagespeed w/CSP users will have the |
On Tue, Jan 31, 2017 at 8:22 AM, Tim Stamp ***@***.***> wrote:
the actual CSP use in the wild
Is that statistic for mod_pagespeed users? Because I disabled
mod_pagespeed as it compromised the security of my CSP. I expect the uptake
of this mod by users who want to use CSP properly, will be significantly
lower.
It stands to reason that most mod_pagespeed w/CSP users will have the
unsafe-eval option enabled, otherwise mod_pagespeed will break their
code...
No, it's based on top sites in HTTP archive. It's possible that
(actual/potential) mod_pagespeed users actually have tighter policies,
though, since the big sites tend to be less agile.
|
Looks like there is also a 'strict-dynamic' option, which may or may not be useful as an alternative method. |
Any update on this? If both of them are empty add js code that is added now, if one of them is empty, append another that is not empty to js code and then add it to page source. |
@AngelDeaD could you add a concrete example of how the module would rewrite its input to illustrate your goal? |
This is line that I have problem with: Regarding my suggestion: pagespeed static js code would be: Of course, if both of webpagespeed-nonce and webpagespeed-sha are empty. First static would be added (as it's right now). |
Ping ? |
hey @oschaaf, i wanted to just check in on this issue really quick. we are noticing some major challenges with Pagespeed and CSP. in particular:
since PS is acting on behalf of the origin in a trusted manner, why can't it just inject nonces that match any present nonce value, for scripts it adds to the page? in any case, this is enough of a challenge for us right now that it's pagespeed or CSP, which is a lame decision to have to make. if i can help with diagnosis or PRs at all, i would be happy to contribute. |
PRs definitely welcome! |
Same problem here. I can't put a nonce attribute on the PS script, so the script is blocked because it violates the CSP header. |
Then how do we resolve this? What's the best practice? |
I've just disabled most of the filters on affected sites. Not much else we can do, until someone has a chance to implement proper support. |
Did you check out https://www.modpagespeed.com/doc/configuration#honor-csp ?
…On Tue, Mar 31, 2020 at 12:41 PM Sam Bull ***@***.***> wrote:
I've just disabled most of the filters on affected sites. Not much else we
can do, until someone has a chance to implement proper support.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#876 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAO2IPNM2AXLAKWQHNGP2D3RKIMKDANCNFSM4BVN3RSQ>
.
|
@jmarantz |
@jmarantz As per the discussion above, it breaks the CSP when using nonces/hashes etc. |
@Dreamsorcerer / @jmarantz unfortunately that kind of PR, at least from scratch without pointers, is outside the scope of my skillset. what i mean to say is, i'm happy to help test PRs or otherwise diagnose issues or provide help as much as i can to the relevant teams and contributors. |
Seven years, folks. Just sayin' We cannot use the add_instrumentation filter because of this. I think Pagespeed is amazing, and I'm really surprised that the project is short of contributors, especially for something like this. I'd have thought that CSP would be a great opportunity for Pagespeed to show off its capabilities. It could be leading the way by allowing CSP's to be automatically inserted into content, not crippled by it! |
I am applying a nonce to my inline javascript but that is being lost when PageSpeed rewrites the scripts. Can someone code a change to just preserve the existing nonce when it does the rewrite? Similar to how PS add the A simple NGINX CSP implementation uses the nginx sub_filter module to replace a constant string with the current nginx request id - this works well as a nonce until pagespeed breaks it by refactoring scripts without keeping the nonce How to CSP in NGINX Details
ProblemPagespeed does not respect the nonce that is being set on the scripts that it is rewriting.
We can not fully use Pagespeed today now due to it's lack of support for even maintaining a CSP. This problem is not going away. Proposed SolutionCan someone code the changes to ensure Pagespeed will start to respect and reuse any existing nonce="" attributes being set? e.g. just carry over the nonce from the source scripts
Any takers? |
There's lot of problems I discovered with pagespeed which made me pretty much abandon it entirely except for the webp conversion part and even that I am considering just doing it in the application layer directly. It seems this project was given to the Apache foundation to be its "grave".
About the only useful feature it has right now maybe to recompress images to be more efficient and resize images to tag specified width and length and conversion to webp. That's it in my opinion. I tried to modify / fork it but the build system is complex, and the projects are not isolated, you are forced to compile an apache and an nginx and both modules and even chromium just to build it, and the scripts are already broken on newer distros. I gave up on trying, and just implemented some of those features in my own apps by hand. |
Thank you very much for sharing these points. I am going to abandon using pagespeed module given your points are valid. I was blindly trusting this source code Given the webp support is still lacking aspect ratio, and to be honest I have had some poor quality image renders
I am curious to talk shop with you about a leading edge web application stack if you want to email me at Firegarden I will follow up. Thank you |
Original issue reported on code.google.com by
mkwst@chromium.org
on 29 Jan 2014 at 6:43The text was updated successfully, but these errors were encountered: