Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add csp exceptions #1551

Merged
merged 4 commits into from
Oct 8, 2022
Merged

Add csp exceptions #1551

merged 4 commits into from
Oct 8, 2022

Conversation

kamil4
Copy link
Contributor

@kamil4 kamil4 commented Oct 8, 2022

Allows a handful of inline event handlers and a single inline script via CSP hashes. I'm guessing that at least upload.check() won't be needed when @nagmat84's improved basicModal gets merged.

Removes one inline script that hasn't been needed for a good while, actually.

While with these changes Lychee works as expected again under both Firefox and Chrome, in either case there are warnings in the JS console. Firefox doesn't recognize the unsafe-hashes keyword, which is needed to get Chrome to work as expected. Chrome, on the other hand, complains about a number of permission policies: ambient-light-sensor, battery, and more. I can't help feeling that we are perhaps operating too close to the bleeding edge when it comes to our use of CSP...

Also updates php-exif to 0.7.12 in composer.json (it was already that way in composer.lock).

@kamil4 kamil4 added this to the 4.6.1 milestone Oct 8, 2022
@kamil4 kamil4 requested a review from a team October 8, 2022 03:46
@codecov
Copy link

codecov bot commented Oct 8, 2022
edited
Loading

Codecov Report

Merging #1551 (782a782) into master (80fc69d) will decrease coverage by 0.73%.
The diff coverage is n/a.

Additional details and impacted files

ildyria
ildyria approved these changes Oct 8, 2022
View reviewed changes
Copy link
Member

@ildyria ildyria left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested & LGTM

resources/views/update/error.blade.php
@@ -103,6 +103,8 @@
</form>
</div>
</div>
<!-- Do not change even a single character in the block below without
also updating the checksum in config/secure-headers.php! -->
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@ildyria ildyria merged commit 1144961 into master Oct 8, 2022
@ildyria ildyria deleted the add-csp-exceptions branch October 8, 2022 12:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ildyria ildyria ildyria approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.6.1
Development

Successfully merging this pull request may close these issues.
2 participants
@kamil4 @ildyria