-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy #3620
Comments
@rudolphfroger I think you mentioned about HTTP header, however sphinx IS NOT a server application. Sphinx just generate html files. So I think there is nothing todo from sphinx side. |
I understand that Sphinx won't be able to set an HTTP header. At the moment the inline Javascript in the Sphinx themes prevent anyone from setting a reasonable Content Security Policy header without breaking Sphinx functionality. Moving all inline Javascript and CSS into the separate JS and CSS files would enable people to serve Sphinx in a better secured setup. |
Thanks for your explanation. Indeed, current templates are not good. |
CSP can either be served via a header (i.e, via Apache) or put into a meta tag (i.e, in a Sphinx theme). The point of CSP is that it can be configured to disallow inline scripts/styles to prevent XSS/CSRF attacks so it is a Sphinx problem. Currently the RTD theme sets DOCUMENTATION_OPTIONS expected by the basic theme (doctools, searchtools, etc.) by doing this:
IMO there should be a better way to set these properties than JavaScript, i.e through some type of middleware. |
Fixed by #4295. |
Because of this issue I've updated my sphinx to 1.8.4 and it seems that the problem with
|
As I understand it, the purpose of the original AJAX code is to defer loading |
@jumarko I've opened a PR if you would like to pull it down and test it. |
#3620: Defer searchindex.js rather than loading it via ajax
to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com>
to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com>
to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com>
to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com>
to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com> (cherry picked from commit ace8cb1) Conflicts: admin/doc-requirements.txt
to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com> (cherry picked from commit ace8cb1) Conflicts: admin/doc-requirements.txt
to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com> (cherry picked from commit ace8cb1)
to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com> (cherry picked from commit ace8cb1) Conflicts: admin/doc-requirements.txt admin/build-doc
Hopefully a more future-proof fix, removing the dependency on ajax and searchtools.js altogether. (After loading, searchindex.js itself does depend on searchtools.js, but both are updated with the version of sphinx that is used, unlike this template.) Because the script is loaded with `defer` and also right at the end of the body, the size of searchindex.js should not block loading the rest of the page (one of the arguments for using ajax).
Subject: adjust themes to allow a sufficient strict Content-Security-Policy
Problem
Also see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Procedure to reproduce the problem
Serving the generated HTML using a Content Security Policy header like below gives many exceptions:
Expected results
I expected to be able to set a Content-Security-Policy header to protect the site against XSS and injection attacks.
Environment info
The text was updated successfully, but these errors were encountered: