Add a Content Security Policy to non-rustdoc pages

[pietroalbini]

This PR adds a Content Security Policy to all pages except for rustdoc pages, increasing the security of the website. This should not break anything, but in case something breaks there is no need to revert the PR: setting the DOCSRS_CSP_REPORT_ONLY environment variable to true will switch the CSP to be "report-only", notifying breakages in the console without actually blocking any content.

There are a couple of changes here that will affect how docs.rs is developed (cc @rust-lang/docs-rs):

• Inline styles with style="" are not allowed anymore. Using CSS classes is required instead.
• Any JavaScript will need to have the nonce="{{ csp_nonce }}" HTML attribute for it to work.
• eval() inside JavaScript doesn't work anymore (we weren't using it before, but listing that just to be sure).

The best way to test this is to start the server locally and see if anything breaks while visiting pages.

r? @jyn514

[jyn514]

error: name `IO` contains a capitalized acronym
Error:   --> crates/metadata/lib.rs:74:5
   |
74 |     IO(#[from] io::Error),
   |     ^^ help: consider making the acronym lowercase, except the initial letter (notice the capitalization): `Io`
   |
   = note: `-D clippy::upper-case-acronyms` implied by `-D warnings`

Globally allowing that warning in crates/metadata seems fine to me.

[jyn514]

@pietroalbini this causes utils.js to fail to load:

[jyn514]

There's also an error on /features pages (e.g. http://localhost:3000/crate/konst/0.2.0/features).

I can't seem to figure out how to get firefox to tell me what line it's on, though.

[pietroalbini]

Fixed the features page, I'm not exactly sure where you see the utils.js error though.

[jyn514]

Fixed the features page, I'm not exactly sure where you see the utils.js error though.

I think this might be something injected by firefox devtools, it doesn't seem to be affecting the site at all.

[syphar]

Fixed the features page, I'm not exactly sure where you see the utils.js error though.

I think this might be something injected by firefox devtools, it doesn't seem to be affecting the site at all.

Short note here (without having read the code)

• chrome and safari don't show the error, so it seems to be related to FF (and IMHO dev tools)
• I do see an error when checking rustdoc pages.

[jyn514]

I clicked around some more and everything seems to be working now :)

[jyn514]

Why make the suppress field private if you're going to allow setting it anyway?

[pietroalbini]

Mostly out of habit, and because this looks weird:

     req.extensions
        .get_mut::<Csp>()
        .expect("missing CSP")
        .suppress = true; 

[jyn514]

This is shared between all threads, isn't it? Won't this surpress the CSP policy for all requests? Or is it per-request because you used link_before?

[pietroalbini]

Well, all the extensions are added in each request. Most of the others are just cloned Arc<_>s, instead here it's a fresh instance every time.

[jyn514]

Ahhh, I just realized while reading this that there's a new nonce for each request, it's not a hash of the file or anything like that. Maybe add a comment to the CSP saying that? And a test that two sequential requests get different nonces?

[pietroalbini]

Hmm, the test is already there. I'll add a comment.

[Nemo157]

I see a few errors from extensions injected scripts, that might be where utils.js is coming from too, I don't get that specific one in FF devtools.

[pietroalbini]

Rebased and addressed all review comments.