Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include Content-Security-Policy as meta tag, assert against violations in tests and remove deprecated referrer policy #156

Merged
merged 9 commits into from
Feb 23, 2019
Merged

Include Content-Security-Policy as meta tag, assert against violations in tests and remove deprecated referrer policy #156

merged 9 commits into from
Feb 23, 2019

Conversation

jelhan
Copy link
Owner

@jelhan jelhan commented Jan 2, 2019
edited
Loading

  • CSP is included in build as meta tag.
  • Deprecated referrer policy removed.
  • Fixes existing CSP violations.
  • Throw in tests if CSP is violated.

@jelhan
Copy link
Owner Author

jelhan commented Jan 2, 2019

Chart.js has added a CSP violation in one of it's latest versions. It should be fixed after chartjs/Chart.js#5952 is merged.

@jelhan
deps: uprade ember-cli-content-security-policy
2865936
@jelhan
CSP referrer is deprecated, Referrer-Policy header should be used ins…
322b4df 
…tead
@jelhan
X-Content-Security-Policy and X-Webkit-CSP are not needed anymore
fb4b2b2 
All major browsers support standard by now. Only IE11 has limited support
for X-Content-Security-Policy. But that support is limited to sandbox
directive, which isn't used by Croodle.
@jelhan
downgrade Chart.js to fix CSP violations
be01564 
chartjs/Chart.js#5208
@jelhan
provide Content-Security-Policy by meta tag
b0b62fe 
Having both a Content-Security-Policy (CSP) in meta tag and per header
works fine together. They are merged and the strongest one is applied.
It makes Croodle safer for all users even if the hoster does not apply CSP
for some reason (e.g. they can't set custom headers).

It's still a good idea to recommend using a CSP header cause that ones
are applied earlier - even so this shouldn't be a problem cause we ensure
that CSP meta tag is present before any other link, style or script element.
@jelhan
upgrade ember-bootstrap to fix CSP issue
d326b0e
@jelhan
tests should fail if violating CSP
bbf10cb
@jelhan
upgrade ember-cli-content-security-policy to fix CSP violation by tes…
1df5d14 
…t loader assertion
@jelhan
upgrade qunit to fix CSP violations in test runner
6b53d58 
This one requires a migration from deprecated ember-cli-qunit to ember-qunit.
ember-qunit throws in Unit tests cause they interact with runloop but didn't
awaited everything to finish. An assertion was thrown therefor:

> Assertion Failed: expected container not to be destroyed
@jelhan jelhan merged commit 8304780 into master Feb 23, 2019
@jelhan jelhan changed the title update Content-Security-Policy (CSP) Include Content-Security-Policy as meta tag, assert against violations in tests and remove deprecated referrer policy Oct 30, 2019
@jelhan jelhan deleted the csp branch October 13, 2020 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
breaking enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jelhan