USH-015 — Missing X-XSS-Protection HTTP Header #1610
Comments
|
This should be a simple fix. For client: add this header via nginx config |
|
@willdoran is this in the correct column? Are we blocked? |
|
@rowasc I'm not 100% sure, I don't think it should be in In Development, I'm moving it to ready for spec. I believe the solution for this is to change our nginx config and add some docs for OSS users. |
rowasc
modified the milestones:
Cycle 4: Comrades and HDX [Anna],
Milestone placeholder
rjmackay
modified the milestones:
Milestone placeholder,
Cycle 6: Finish COMRADES and Continue Basics
|
@rowasc @willdoran I don't think this bears any further speccing. |
|
I think so. Not much to spec here. |
|
I've added this to platform-cloud-ansible. It's only deployed to v3-qa right now. We can deploy to other environments by running This PR adds the header to the example config files |
|
@tuxpiper can you help me out with platform-release? Is one of these htaccess or nginx templates used as for the client? https://github.com/ushahidi/platform-release/tree/master/dist |
|
Yes, these are used in the docker images that can be built from the repo: https://github.com/ushahidi/platform-release/blob/master/run.sh#L134 And they are bundled in the downloadable tarball, for deployers to take as reference while setting up their systems. |
|
Re-opening to apply on the CloudFront deployments |
|
Implementing this properly in the AWS stack would mean having different CDN distributions for index and assets. A blocker for that is modifying the client's build routine so that index.html can reference the assets to a different domain. (i.e. "assets.ushahidi.io/app.XXXXX.js" instead of just "app.XXXXX.js" |
|
@tuxpiper thats probably sensible to do that anyway but I'm not clear why it's required for this ticket? |
|
@tuxpiper this ushahidi/platform-client#1258 gives you a way to pass in a base URL. We'll need to test and verify if all the assets still work as expected though. |
Yep sorry I didn't document, I found out about this too much towards the end of my day. The injection of headers in Cloudfront is done with lambda@edge (l@e), which carries a cost per execution. So while things would work by applying the l@e function to the whole distribution, we would be paying extra for unnecessarily invoking the function for purely static assets. I tried working around that by having different cache behaviors in a single Cloudfront distribution (one for the "/index.html" path , configured to invoke l@e, another for the rest), but was sabotaged by the fact that any URL that doesn't match an asset file must be internally redirected to /index.html for angular routing . Then I remembered we had #1322 open, and back then we though it was a good thing to do anyway, to separate purely static assets to their own domain. I was hoping it would be an easy thing to configure and you did it :) Thanks! |
|
Yup. The only caveat is that SVGs are a pain. Because they're XML most browsers refuse to load them cross-origin. So we can either inline the SVGs or load them from the same origin (ie. quakemap.ushahidi.io not assets.ushahidi.io) |
|
Trying a different approach with ushahidi/platform-client#1262 |
tuxpiper
added
Theme: SaaS
Theme: Release Bundling
Expected behaviour
Actual behaviour
Steps to reproduce the behaviour/error
Acceptance criteria:
Aha! Link: https://ushahiditeam.aha.io/features/PROD-26
The text was updated successfully, but these errors were encountered: