Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include Content-Security-Policy as meta tag, assert against violations in tests and remove deprecated referrer policy #156

Merged
merged 9 commits into from
Feb 23, 2019
Merged

Include Content-Security-Policy as meta tag, assert against violations in tests and remove deprecated referrer policy #156

merged 9 commits into from
Feb 23, 2019

Commits on Feb 23, 2019

  1. deps: uprade ember-cli-content-security-policy

    @jelhan
    jelhan committed Feb 23, 2019
    Configuration menu
    Copy the full SHA
    2865936 View commit details
    Browse the repository at this point in the history

  2. CSP referrer is deprecated, Referrer-Policy header should be used ins… 

    …tead
    @jelhan
    jelhan committed Feb 23, 2019
    Configuration menu
    Copy the full SHA
    322b4df View commit details
    Browse the repository at this point in the history

  3. X-Content-Security-Policy and X-Webkit-CSP are not needed anymore 

    All major browsers support standard by now. Only IE11 has limited support
for X-Content-Security-Policy. But that support is limited to sandbox
directive, which isn't used by Croodle.
    @jelhan
    jelhan committed Feb 23, 2019
    Configuration menu
    Copy the full SHA
    fb4b2b2 View commit details
    Browse the repository at this point in the history

  4. downgrade Chart.js to fix CSP violations 

    chartjs/Chart.js#5208
    @jelhan
    jelhan committed Feb 23, 2019
    Configuration menu
    Copy the full SHA
    be01564 View commit details
    Browse the repository at this point in the history

  5. provide Content-Security-Policy by meta tag 

    Having both a Content-Security-Policy (CSP) in meta tag and per header
works fine together. They are merged and the strongest one is applied.
It makes Croodle safer for all users even if the hoster does not apply CSP
for some reason (e.g. they can't set custom headers).

It's still a good idea to recommend using a CSP header cause that ones
are applied earlier - even so this shouldn't be a problem cause we ensure
that CSP meta tag is present before any other link, style or script element.
    @jelhan
    jelhan committed Feb 23, 2019
    Configuration menu
    Copy the full SHA
    b0b62fe View commit details
    Browse the repository at this point in the history

  6. upgrade ember-bootstrap to fix CSP issue

    @jelhan
    jelhan committed Feb 23, 2019
    Configuration menu
    Copy the full SHA
    d326b0e View commit details
    Browse the repository at this point in the history

  7. tests should fail if violating CSP

    @jelhan
    jelhan committed Feb 23, 2019
    Configuration menu
    Copy the full SHA
    bbf10cb View commit details
    Browse the repository at this point in the history

  8. upgrade ember-cli-content-security-policy to fix CSP violation by tes… 

    …t loader assertion
    @jelhan
    jelhan committed Feb 23, 2019
    Configuration menu
    Copy the full SHA
    1df5d14 View commit details
    Browse the repository at this point in the history

  9. upgrade qunit to fix CSP violations in test runner 

    This one requires a migration from deprecated ember-cli-qunit to ember-qunit.
ember-qunit throws in Unit tests cause they interact with runloop but didn't
awaited everything to finish. An assertion was thrown therefor:

> Assertion Failed: expected container not to be destroyed
    @jelhan
    jelhan committed Feb 23, 2019
    Configuration menu
    Copy the full SHA
    6b53d58 View commit details
    Browse the repository at this point in the history