CSP warnings in real operation #1999

sleidig · 2023-09-14T08:00:10Z

After deploying the CSP (report-only), some content is still triggering warnings and not properly whitelisted in our default CSP:

Refused to load the image 'blob:URL'
Fetch API cannot load https://o167951.ingest.sentry.io/api/1242399/security/. Request mode is "no-cors" but the redirect mode is not "follow".

TheSlimvReal · 2024-01-18T18:03:01Z

One problem is that the index.html script hash has not been correctly updated. How can this be done?

sleidig · 2024-01-22T07:22:22Z

I documented this here in den Developer Docs "Security" Concept (happy for suggestions about a better place): https://aam-digital.github.io/ndb-core/documentation/additional-documentation/concepts/security.html

TheSlimvReal · 2024-01-22T08:26:54Z

The instructions dont seem to work on all browsers (this is from Chrome on Mac, Safari seems to show even less info)

github-project-automation bot added this to All Tasks & Issues Sep 14, 2023

github-project-automation bot moved this to Triage in All Tasks & Issues Sep 14, 2023

sleidig moved this from Triage to Priority (Core Team) in All Tasks & Issues Sep 18, 2023

sleidig self-assigned this Sep 18, 2023

sleidig moved this from Priority (Core Team) to In Progress in All Tasks & Issues Jan 22, 2024

sleidig mentioned this issue Jan 23, 2024

some CSP fixes #2194

Merged

sleidig closed this as completed Jan 25, 2024

github-project-automation bot moved this from In Progress to Done in All Tasks & Issues Jan 25, 2024

Provide feedback