Skip to content

build: deprecate shasum in Vulcanization #2950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stephanwlee merged 3 commits into from
Nov 22, 2019
Merged

build: deprecate shasum in Vulcanization #2950

stephanwlee merged 3 commits into from
Nov 22, 2019

Conversation

@stephanwlee
Copy link
Contributor

@stephanwlee stephanwlee commented Nov 19, 2019

As part of our security hardening and CSP support, we decided to
introduce script checksum as part of the Vulcanization that gets used at
the serving time using http_util.py. We understand that this imposes
a bit too stringent requirements for all and we decided to relax the CSP
comformance a little by trusting JavaScript from our server
(effectively, default-src 'self').

Note that we do not yet remove shasum related code from http_util
because it is being used by the Plugin HTML endpoint in application.py.
For that, we may want to use nonce or separate JavaScript file approach.

@wchargin
Copy link
Contributor

wchargin commented Nov 19, 2019

Cancelled build to unblock #2947, without which this build would fail
anyway.

@stephanwlee stephanwlee force-pushed the vulc-clean branch 4 times, most recently from 24aeac5 to 388d147 Compare November 20, 2019 15:51
@stephanwlee stephanwlee requested a review from nfelt November 20, 2019 15:52
nfelt
nfelt approved these changes Nov 21, 2019
View reviewed changes
@stephanwlee stephanwlee reopened this Nov 21, 2019
@stephanwlee
build: deprecate shasum in Vulcanization
a8b78df 
As part of our security hardening and CSP support, we decided to
introduce script checksum as part of the Vulcanization that gets used at
the serving time using http_util.py. We understand that this imposes
a bit too stringent requirements for all and we decided to relax the CSP
comformance a little by trusting JavaScript from our server
(effectively, default-src 'self').

Note that we do not yet remove shasum related code from http_util
because it is being used by the Plugin HTML endpoint in application.py.
For that, we may want to use nonce or separate JavaScript file approach.
@stephanwlee
whitespace
7259c08
@stephanwlee
style-src changed
6fec68c
@stephanwlee stephanwlee merged commit 56e4bf4 into tensorflow:master Nov 22, 2019
@stephanwlee stephanwlee deleted the vulc-clean branch November 22, 2019 06:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@nfelt nfelt nfelt approved these changes

@wchargin wchargin wchargin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla: yes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@stephanwlee @wchargin @nfelt @googlebot