It's time to turn this on.
Created attachment 8341307 [details] [review] https://github.com/mozilla/webmaker-profile-service/pull/26 This is a fairly simple policy, my only problem with it is that it requires setting script-src: 'unsafe-evail' for lodash.template. I don't see where in the code lodash.template is being used though? It's possible to work around new Function() by using pre-compiled templates, but I can't even seem to find where lodash.template is being used.
Alright, after a restart of my browser it seems that it's lodash itself causing the error; it uses new Function() to create some functions internally: https://github.com/lodash/lodash/issues/54 Going to try loading a different build of lodash, which should fix this.
Comment on attachment 8341307 [details] [review] https://github.com/mozilla/webmaker-profile-service/pull/26 Alright, upgrading lodash totally fixed that unsafe-eval violation. This is ready for review! :mgoodwin - Would you mind looking at this CSP policy?
Comment on attachment 8341307 [details] [review] https://github.com/mozilla/webmaker-profile-service/pull/26 (In reply to Jon Buckley [:jbuck] from comment #3) > :mgoodwin - Would you mind looking at this CSP policy? Not at all; it's great to see another application making use of CSP. The policy looks good to me.
Attachment #8341307 - Flags: feedback?(mgoodwin) → feedback+
Commit pushed to master at https://github.com/mozilla/webmaker-profile-service https://github.com/mozilla/webmaker-profile-service/commit/bb549d21743764facd883c12118d6b7c6179b5c1 Bug 945460 - Enable Content Security Policy
This is on prod now!
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.