Allow customization of CSP to allow third-party fonts #9349
Comments
Or you could just commit the change, and then git will happily take care of merging every time you want to upgrade, helpfully informing you of upstream changes to the file. People use version control systems for a reason. I do agree that this presents a little bit of a conflict with the custom css section though. We could mitigate this by using |
|
Could you download the fonts from Google and put them in the fonts directory instead? I don't think your users will appreciate loading from Google. |
|
Instance admin can add 'proxy_hide_header Content-Security-Policy;' to nginx configuration to ignore upstream CSP and use their own CSP. Download and place Google web fonts seems really tired task... because Google split web fonts into many files for minimize download size. |
|
@ggtea no non-admin users should be customizing CSS, so i don't think that's a problem. |
|
@ggtea rewriting the CSP on the reverse proxy is not entirely advisable, as different controllers have slightly different headers @nightpool there's a distinction here between admin in the sense of Mastodon, and admin as having admin rights on the host itself Using |
|
@ThibG issues that arise solely due to a lack of configurability on the
part of third party hosting providers are not valid mastodon issues
…On Thu, Nov 29, 2018, 6:42 PM ThibG ***@***.***> wrote:
@ggtea <https://github.com/ggtea> rewriting the CSP on the reverse proxy
is not entirely advisable, as different controllers have slightly different
headers
@nightpool <https://github.com/nightpool> there's a distinction here
between admin in the sense of Mastodon, and admin as having admin rights on
the host itself
Using strict-dynamic would be very good, but it would also break pghero
and sidekiq monitor, unless we exempt them from it, which seems to be a
mess with how Rails handles CSP.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#9349 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAORVy7wfZKEYT2elw2PqybZbCXT5DVFks5u0HDOgaJpZM4Yx9xR>
.
|
|
@nightpool tbh I think it's slightly narrow-minded. Since Mastodon sets the CSP itself (which I think is a good thing) and allows customization from the admin interface, I think it makes sense for it to also whitelist some things in the CSP. |
|
@ThibG see original post
|
|
There's probably a finite set of popular font hosts, maybe just add them all to the default CSP policy? Opens the door to new fonts without complicating configuration by adding yet more options... |
|
I would advise against providing a GUI interface to muck with security settings. There are some reasonable attack vectors where if an instance admin visited the wrong website, without them knowing their instance could and up with it's CSP disabled and open it's users up to a host of risk. I also want to advise against serving fonts directly from Google as well. Google uses this to track your users without their knowledge. Rehost the files on your instance and reference them directly instead. No mucking with CSP and no privacy invasion from Google. I would advise instead if the desire is to really make this easily configurable, mastadon adds a separate CSP settings file that is not tracked by git Again I would actually advise against modifying at all as I don't see a use case where you would need it. |
Ah, this would be handy. Does anyone know which folder that is exactly on the file system? I'm a bit confused: |
|
Also, if we're recommending downloading fonts, it would be useful to document how to customize those both for git installations and for docker-based ones. |
|
I've just updated to 4.1.0 and was going through my task of adding our metaheader that shows all of our sites above Mastodon in our network. However content_security_policy.rb doesn't seem to work any more. I also found this new ruby gem called |
Pitch
After the recent CSP header updates, the Google font I pulled in to customize my instance stopped working. I had this snippet of code in the "Custom CSS" field under the admin's "Site Settings":
I had to manually edit
config/initializers/content_security_policy.rband add the Google domain to the style_src directive and another domain for font_src.It would be great if I could simply edit a configuration file or change something in the site admin to facilitate this instead.
Motivation
Changing files at the Rails app level isn't ideal — now I'll have to remember to save that change and discard it temporarily upon future upgrades, then reapply.
Thanks for your consideration! (P.S. I'm a Rails developer myself, so if you could recommend a simple course of action for this sort of thing, I'd be happy to submit a PR.)
The text was updated successfully, but these errors were encountered: