Closed
Bug 945460
Opened 11 years ago
Closed 11 years ago
Enable Content Security Policy for Webmaker Profile
Categories
(Webmaker Graveyard :: Profile, defect)
Webmaker Graveyard
Profile
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jon, Assigned: jon)
References
Details
Attachments
(1 file)
It's time to turn this on.
Assignee | ||
Comment 1•11 years ago
|
||
This is a fairly simple policy, my only problem with it is that it requires setting script-src: 'unsafe-evail' for lodash.template. I don't see where in the code lodash.template is being used though? It's possible to work around new Function() by using pre-compiled templates, but I can't even seem to find where lodash.template is being used.
Attachment #8341307 -
Flags: feedback?(gavin)
Assignee | ||
Comment 2•11 years ago
|
||
Alright, after a restart of my browser it seems that it's lodash itself causing the error; it uses new Function() to create some functions internally: https://github.com/lodash/lodash/issues/54 Going to try loading a different build of lodash, which should fix this.
Assignee | ||
Comment 3•11 years ago
|
||
Comment on attachment 8341307 [details] [review] https://github.com/mozilla/webmaker-profile-service/pull/26 Alright, upgrading lodash totally fixed that unsafe-eval violation. This is ready for review! :mgoodwin - Would you mind looking at this CSP policy?
Attachment #8341307 -
Flags: review?(gavin)
Attachment #8341307 -
Flags: feedback?(mgoodwin)
Attachment #8341307 -
Flags: feedback?(gavin)
Comment 4•11 years ago
|
||
Comment on attachment 8341307 [details] [review] https://github.com/mozilla/webmaker-profile-service/pull/26 (In reply to Jon Buckley [:jbuck] from comment #3) > :mgoodwin - Would you mind looking at this CSP policy? Not at all; it's great to see another application making use of CSP. The policy looks good to me.
Attachment #8341307 -
Flags: feedback?(mgoodwin) → feedback+
Updated•11 years ago
|
Attachment #8341307 -
Flags: review?(gavin) → review+
Comment 5•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/webmaker-profile-service https://github.com/mozilla/webmaker-profile-service/commit/bb549d21743764facd883c12118d6b7c6179b5c1 Bug 945460 - Enable Content Security Policy
Assignee | ||
Comment 6•11 years ago
|
||
This is on prod now!
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•