Enable Content Security Policy for Webmaker Profile

RESOLVED FIXED

Status

RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: jon, Assigned: jon)

Tracking

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
It's time to turn this on.
(Assignee)

Comment 1

5 years ago
Created attachment 8341307 [details] [review]
https://github.com/mozilla/webmaker-profile-service/pull/26

This is a fairly simple policy, my only problem with it is that it requires setting script-src: 'unsafe-evail' for lodash.template. I don't see where in the code lodash.template is being used though? It's possible to work around new Function() by using pre-compiled templates, but I can't even seem to find where lodash.template is being used.
Attachment #8341307 - Flags: feedback?(gavin)
(Assignee)

Comment 2

5 years ago
Alright, after a restart of my browser it seems that it's lodash itself causing the error; it uses new Function() to create some functions internally: https://github.com/lodash/lodash/issues/54

Going to try loading a different build of lodash, which should fix this.
(Assignee)

Updated

5 years ago
Depends on: 945478
(Assignee)

Comment 3

5 years ago
Comment on attachment 8341307 [details] [review]
https://github.com/mozilla/webmaker-profile-service/pull/26

Alright, upgrading lodash totally fixed that unsafe-eval violation. This is ready for review!

:mgoodwin - Would you mind looking at this CSP policy?
Attachment #8341307 - Flags: review?(gavin)
Attachment #8341307 - Flags: feedback?(mgoodwin)
Attachment #8341307 - Flags: feedback?(gavin)
Comment on attachment 8341307 [details] [review]
https://github.com/mozilla/webmaker-profile-service/pull/26

(In reply to Jon Buckley [:jbuck] from comment #3)
> :mgoodwin - Would you mind looking at this CSP policy?

Not at all; it's great to see another application making use of CSP.

The policy looks good to me.
Attachment #8341307 - Flags: feedback?(mgoodwin) → feedback+

Updated

5 years ago
Attachment #8341307 - Flags: review?(gavin) → review+
(Assignee)

Comment 6

5 years ago
This is on prod now!
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.