945460 - Enable Content Security Policy for Webmaker Profile

Status: RESOLVED FIXED

(Webmaker Graveyard :: Profile, defect)

Description

[Jon Buckley [:jbuck]]

It's time to turn this on.

Comment 1

[Jon Buckley [:jbuck]]

Attachment: https://github.com/mozilla/webmaker-profile-service/pull/26

This is a fairly simple policy, my only problem with it is that it requires setting script-src: 'unsafe-evail' for lodash.template. I don't see where in the code lodash.template is being used though? It's possible to work around new Function() by using pre-compiled templates, but I can't even seem to find where lodash.template is being used.

Comment 2

[Jon Buckley [:jbuck]]

Alright, after a restart of my browser it seems that it's lodash itself causing the error; it uses new Function() to create some functions internally: https://github.com/lodash/lodash/issues/54

Going to try loading a different build of lodash, which should fix this.

Comment 3

[Jon Buckley [:jbuck]]

Comment on attachment 8341307 [details] [review]
https://github.com/mozilla/webmaker-profile-service/pull/26

Alright, upgrading lodash totally fixed that unsafe-eval violation. This is ready for review!

:mgoodwin - Would you mind looking at this CSP policy?

Comment 4

[Mark Goodwin [:mgoodwin]]

Comment on attachment 8341307 [details] [review]
https://github.com/mozilla/webmaker-profile-service/pull/26

(In reply to Jon Buckley [:jbuck] from comment #3)
> :mgoodwin - Would you mind looking at this CSP policy?

Not at all; it's great to see another application making use of CSP.

The policy looks good to me.

Comment 5

[[github robot]]

Commit pushed to master at https://github.com/mozilla/webmaker-profile-service

https://github.com/mozilla/webmaker-profile-service/commit/bb549d21743764facd883c12118d6b7c6179b5c1
Bug 945460 - Enable Content Security Policy

Comment 6

[Jon Buckley [:jbuck]]

This is on prod now!