Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSP header adjustments #3068

Merged
merged 4 commits into from
Jul 21, 2021
Merged

CSP header adjustments #3068

merged 4 commits into from
Jul 21, 2021

Conversation

bjoernricks
Copy link
Contributor

@bjoernricks bjoernricks commented Jul 9, 2021

Remove frame-acestors completely because it isn't included into an
iframe anymore. If this is still required the CSP settings can be
adjusted via a command line parameter.

More important don't allow executing javascript from inline html. Only
from references javascript files.

But allow to load CSS from inline <style> elements via style-src-elem
(not supported by firefox yet) and style-src CSP settings.

Fixes AP-1507

Checklist:

  • Tests
  • CHANGELOG Entry
  • Labels for ports to other branches

@bjoernricks bjoernricks added port-to-main Use mergifiy to port PR to master port-to-stable Use mergifiy to port PR to stable labels Jul 9, 2021
Remove frame-acestors completely because it isn't included into an
iframe anymore. If this is still required the CSP settings can be
adjusted via a command line parameter.

More important don't allow executing javascript from inline html. Only
from references javascript files.

But allow to load CSS from inline <style> elements via style-src-elem
(not supported by firefox yet) and style-src CSP settings.

Fixes AP-1507
@bjoernricks bjoernricks force-pushed the bricks/csp-header-adjustments branch from 5718ae7 to 69b5f21 Compare July 20, 2021 13:36
@bjoernricks bjoernricks marked this pull request as ready for review July 20, 2021 13:36
@bjoernricks bjoernricks requested a review from a team as a code owner July 20, 2021 13:36
@bjoernricks bjoernricks enabled auto-merge July 20, 2021 13:37
Froma https://create-react-app.dev/docs/advanced-configuration

> By default, Create React App will embed the runtime script into
> index.html during the production build. When set to false, the script
> will not be embedded and will be imported as usual. This is normally
> required when dealing with CSP.
@bjoernricks bjoernricks force-pushed the bricks/csp-header-adjustments branch from 69b5f21 to a6a9cea Compare July 20, 2021 13:41
@bjoernricks bjoernricks merged commit 61694b1 into gsa-20.08 Jul 21, 2021
@bjoernricks bjoernricks deleted the bricks/csp-header-adjustments branch July 21, 2021 06:37
bjoernricks added a commit that referenced this pull request Jul 21, 2021
bjoernricks added a commit that referenced this pull request Jul 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
port-to-main Use mergifiy to port PR to master port-to-stable Use mergifiy to port PR to stable
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants