Closed Bug 1450327 Opened 7 years ago Closed 7 years ago

CSS and Javascript not functioning on reports-dev.tmo

Categories

(Data Platform and Tools :: Documentation and Knowledge Repo (RTMO), defect, P1)

Product:
Data Platform and Tools
Component:
Documentation and Knowledge Repo (RTMO)
Platform:
x86_64
Linux
Type:
defect
Points:
1

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: harter, Assigned: hwoo)

References

Details

We started adding reports to reports-dev.telemetry.mozilla.org. Take this report for example [1]. The CSS and Javascript fail to render. If I copy the site locally and open it, the full page renders. Looking at the javascript console, I see a bunch of Content Security Policy errors. Where is the Content Security Policy defined and can we loosen it? Tagging :hwoo as assignee since he set up the initial deploy. Feel free to redirect. [1] https://reports-dev.telemetry.mozilla.org/addons-engagement/index.html
Content Security policy is defined here: https://github.com/mozilla-services/cloudops-deployment/blob/master/projects/data/puppet/modules/rtmo/templates/http.conf.epp#L74 # default security headers header_filter_by_lua_block { default_headers = { ["X-XSS-Protection"] = "1; mode=block", ["X-Content-Type-Options"] = "nosniff", ["Cache-Control"] = "private, no-cache, no-store, must-revalidate", ["X-Frame-Options"] = "DENY", ["Content-Security-Policy"] = "\z default-src 'self'; \z child-src 'none'; \z object-src 'none'; \z frame-ancestors 'none'; \z base-uri 'none'; \z report-uri /__cspreport__", } for header, default in pairs(default_headers) do ngx.header[header] = ngx.header[header] or default end }
Can we change the CSP to the following: ``` default-src 'self' data:; script-src 'self' data: 'unsafe-inline'; style-src 'self' data: 'unsafe-inline' ``` This fixes the large majority of CSP errors I've seen so far. We're exclusively hosting static content which ameliorates most of the risk a strict CSP addresses. I'll follow up with the data science team to clean up any externally loaded scripts (which will continue to be broken by this CSP).
Flags: needinfo?(hwoo)
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(hwoo)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.