New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document Builder custom styles Slice 1: Change CSP to allow remotely hosted CSS files from our S3 bucket #7501
Conversation
src/manifest.json
Outdated
@@ -18,7 +18,7 @@ | |||
"48": "icons/logo48.png", | |||
"128": "icons/logo128.png" | |||
}, | |||
"content_security_policy": "script-src 'self' 'unsafe-eval'; font-src 'self' https://fonts.gstatic.com; connect-src 'self' http: https:; object-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-src 'self' https:", | |||
"content_security_policy": "script-src 'self' 'unsafe-eval'; font-src 'self' https://fonts.gstatic.com; connect-src 'self' http: https:; object-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://pixiebrix-public-stylesheets.s3.us-east-2.amazonaws.com; frame-src 'self' https:", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to add https:
instead of the specific bucket. The feature needs to support stylesheets from other locations as well (e.g., hosted by the client)
While doing that, you can remove https://fonts.googleapis.com
because it will be redundant with https:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we already have the fonts URL specified here, we can assume that using https:
won't cause issues with the review/approval process. 👌
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah ok, makes sense, thanks!
d82f4ff
to
891b1f7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The MV2/3 snapshots look good too
No loom links were found in the first post. Please add one there if you'd like to it to appear on Slack. Do not edit this comment manually. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #7501 +/- ##
==========================================
- Coverage 72.66% 72.65% -0.01%
==========================================
Files 1212 1212
Lines 37956 37956
Branches 7128 7128
==========================================
- Hits 27579 27578 -1
- Misses 10377 10378 +1 ☔ View full report in Codecov by Sentry. |
What does this PR do?
Checklist
src/tsconfig.strictNullChecks.json
(if possible)