Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: 🔒️ add gravatar.com to the content security policy #1273

Merged
merged 2 commits into from
Sep 27, 2023
Merged

fix: 🔒️ add gravatar.com to the content security policy #1273

merged 2 commits into from
Sep 27, 2023

Conversation

matthieujacq
Copy link
Contributor

Description

Add gravatar.com to the content security policy, so that it doesn't get blocked in production.

@matthieujacq matthieujacq self-assigned this Sep 27, 2023
@matthieujacq matthieujacq temporarily deployed to preview September 27, 2023 13:15 — with GitHub Actions Inactive
@dosubot dosubot bot added the area: frontend Related to frontend functionality or under the /frontend directory label Sep 27, 2023
@vercel
Copy link

vercel bot commented Sep 27, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Sep 27, 2023 1:45pm
quivr-strapi ✅ Ready (Inspect) Visit Preview 💬 Add feedback Sep 27, 2023 1:45pm
quivrapp ✅ Ready (Inspect) Visit Preview 💬 Add feedback Sep 27, 2023 1:45pm

@github-actions
Copy link
Contributor

github-actions bot commented Sep 27, 2023
edited
Loading

Risk Level 2 - /home/runner/work/quivr/quivr/frontend/next.config.js

The changes in this pull request are mostly about adding a Content Security Policy (CSP) and some changes in the configuration of the application. The risk is relatively low as it doesn't seem to modify any core functionality of the application. However, there are a few points to consider:

  1. Hardcoded URLs: The URLs for various sources are hardcoded in the CSP. This could be a problem if the URLs change in the future. It would be better to store these URLs in environment variables or a separate configuration file. For example:
\"default-src\": [
  \"self\",
  process.env.FONT_GOOGLE_URL,
  process.env.NEXT_PUBLIC_SUPABASE_URL,
  process.env.API_JUNE_URL,
  process.env.QUIVR_APP_URL,
],

  1. Unsafe inline scripts and styles: The CSP allows for unsafe inline scripts and styles. This could potentially open up the application to cross-site scripting (XSS) attacks. If possible, try to avoid using inline scripts and styles, or at least use nonce or hash to secure them.

  2. Environment Variables: The code uses environment variables directly. It would be better to validate these variables before using them. For example, check if they exist and are in the correct format. This can prevent potential errors or security issues.

  3. CSP String Generation: The CSP string is generated by joining the entries of the ContentSecurityPolicy object. This assumes that all entries are arrays. If an entry is not an array, this could cause an error. It would be safer to check the type of each entry before joining them.

🔒🔗🚫

Powered by Code Review GPT

@matthieujacq matthieujacq temporarily deployed to preview September 27, 2023 13:33 — with GitHub Actions Inactive
@matthieujacq matthieujacq force-pushed the fix/gravatar-content-security-policy branch from 90b4cd5 to 267f518 Compare September 27, 2023 13:41
@matthieujacq matthieujacq temporarily deployed to preview September 27, 2023 13:41 — with GitHub Actions Inactive
gozineb
gozineb approved these changes Sep 27, 2023
View reviewed changes
Copy link
Contributor

@gozineb gozineb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Super cool !

@matthieujacq matthieujacq merged commit b6f38f7 into main Sep 27, 2023
7 checks passed
@matthieujacq matthieujacq deleted the fix/gravatar-content-security-policy branch September 27, 2023 13:58
@StanGirard StanGirard mentioned this pull request Sep 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gozineb gozineb gozineb approved these changes

Assignees

@matthieujacq matthieujacq

Labels
area: frontend Related to frontend functionality or under the /frontend directory
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matthieujacq @gozineb