Closed Bug 1444808 Opened 7 years ago Closed 7 years ago

Remove Additional Content Security Policy

Categories

(Cloud Services :: Operations: LandoUI, task)

Product:
Cloud Services
Component:
Operations: LandoUI
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: imadueme, Assigned: ckolos)

References

Details

LandoUI's flask application injects a content security policy header on every request. It seems that another header is being injected after the flask response is emitted. My guess is that our nginx configuration is adding this extra header. If this is the case, it should be removed. The flask application will be responsible for adding the CSP header on all requests. **Flask header**: Content-Security-Policy: report-uri /__cspreport__; default-src 'self'; object-src 'none'; img-src 'self' *.cloudfront.net *.gravatar.com *.googleusercontent.com; manifest-src 'none'; base-uri 'none'; media-src 'none'; frame-ancestors 'none'; style-src 'self' https://code.cdn.mozilla.net; font-src 'self' https://code.cdn.mozilla.net; frame-src 'none'; worker-src 'none' **Additional Mystery Header**: Content-Security-Policy: default-src 'self' data: 'unsafe-inline'; script-src 'self' 'unsafe-inline'; object-src 'self'; report-uri /__cspreport__ This is causing images and fonts to fail to load.
This was observed on https://lando.devsvcdev.mozaws.net/
fixed
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.