Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document Builder custom styles Slice 1: Change CSP to allow remotely hosted CSS files from our S3 bucket #7501

Merged
merged 3 commits into from Feb 1, 2024
Merged

Document Builder custom styles Slice 1: Change CSP to allow remotely hosted CSS files from our S3 bucket #7501

merged 3 commits into from Feb 1, 2024

Conversation

BLoe
Copy link
Collaborator

@BLoe BLoe commented Feb 1, 2024
edited

What does this PR do?

Checklist

  • Add tests
  • New files added to src/tsconfig.strictNullChecks.json (if possible)
  • Designate a primary reviewer - @grahamlangford

@BLoe BLoe self-assigned this Feb 1, 2024
twschiller
twschiller reviewed Feb 1, 2024
View reviewed changes
src/manifest.json Outdated
@@ -18,7 +18,7 @@
"48": "icons/logo48.png",
"128": "icons/logo128.png"
},
"content_security_policy": "script-src 'self' 'unsafe-eval'; font-src 'self' https://fonts.gstatic.com; connect-src 'self' http: https:; object-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-src 'self' https:",
"content_security_policy": "script-src 'self' 'unsafe-eval'; font-src 'self' https://fonts.gstatic.com; connect-src 'self' http: https:; object-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://pixiebrix-public-stylesheets.s3.us-east-2.amazonaws.com; frame-src 'self' https:",
Copy link
Contributor

@twschiller twschiller Feb 1, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to add https: instead of the specific bucket. The feature needs to support stylesheets from other locations as well (e.g., hosted by the client)

While doing that, you can remove https://fonts.googleapis.com because it will be redundant with https:

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we already have the fonts URL specified here, we can assume that using https: won't cause issues with the review/approval process. 👌

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah ok, makes sense, thanks!

@BLoe BLoe force-pushed the feature/7499-modify-csp-allow-stylesheets branch from d82f4ff to 891b1f7 Compare February 1, 2024 18:03
fregante
fregante approved these changes Feb 1, 2024
View reviewed changes
Copy link
Collaborator

@fregante fregante left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The MV2/3 snapshots look good too

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 1, 2024

No loom links were found in the first post. Please add one there if you'd like to it to appear on Slack.

Do not edit this comment manually.

@codecov Codecov
Copy link

codecov bot commented Feb 1, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (695c3da) 72.66% compared to head (b77d75b) 72.65%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7501      +/-   ##
==========================================
- Coverage   72.66%   72.65%   -0.01%     
==========================================
  Files        1212     1212              
  Lines       37956    37956              
  Branches     7128     7128              
==========================================
- Hits        27579    27578       -1     
- Misses      10377    10378       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BLoe BLoe merged commit 5c85906 into main Feb 1, 2024
19 checks passed
@BLoe BLoe deleted the feature/7499-modify-csp-allow-stylesheets branch February 1, 2024 19:38
@grahamlangford grahamlangford added this to the 1.8.8 milestone Feb 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twschiller twschiller twschiller left review comments

@fregante fregante fregante approved these changes

@grahamlangford grahamlangford grahamlangford approved these changes

@johnnymetz johnnymetz Awaiting requested review from johnnymetz

@mnholtz mnholtz Awaiting requested review from mnholtz

Assignees

@BLoe BLoe

Labels
None yet
Projects
None yet
Milestone
1.8.8
Development

Successfully merging this pull request may close these issues.

Document Builder custom styles Slice 1: Change CSP to allow remotely hosted CSS files from our S3 bucket
4 participants
@BLoe @fregante @twschiller @grahamlangford