Add CSP to popcorn.webmaker.org

RESOLVED INCOMPLETE

Status

RESOLVED INCOMPLETE
5 years ago
a year ago

People

(Reporter: jon, Assigned: jon, Mentored)

Tracking

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
We need to implement Content Security Policy (CSP) on popcorn.webmaker.org. First, I'd recommend reading about CSP on MDN: https://developer.mozilla.org/en-US/docs/Security/CSP

Once you've got the background, you'll need to start implementing it. You can look at the policy for the make-valet:

* https://github.com/mozilla/make-valet/commit/3afa949101e8ca737ed9cafdd30ec52a32d52de2
* https://github.com/mozilla/make-valet/commit/a383215f897812568357c77dfa389b83b00243e4
* https://github.com/mozilla/make-valet/commit/26e03a90ac9688e2bfaffdadee320ed8eb3da8c6

Generally speaking, you'll need to:
* set the server to use CSP in report-only mode using the node module "hood" (see the code for how)
* move inline <script> tags into linked <script> tags
* make sure that no library is using eval, new Function(), etc
* whitelist allowed domains for other content types
* test very thoroughly
(In reply to Jon Buckley [:jbuck] from comment #0)
> * make sure that no library is using eval, new Function(), etc

Is https://github.com/mozilla/popcorn.webmaker.org/blob/master/public/src/core/popcorn-wrapper.js#L420 allowed?
(Assignee)

Comment 2

5 years ago
You can allow it in CSP as unsafe-eval ( https://developer.mozilla.org/en-US/docs/Security/CSP/CSP_policy_directives#Keywords ) but as the policy is named, it's not safe, and we should avoid using it if we can. Another challenge for this patch!
(Assignee)

Updated

5 years ago
Whiteboard: [mentor=jbuck]
(Assignee)

Updated

5 years ago
Depends on: 961155
(Assignee)

Updated

5 years ago
Depends on: 965037
(Assignee)

Updated

5 years ago
Depends on: 965043
(Assignee)

Updated

5 years ago
Depends on: 965045
(Assignee)

Updated

5 years ago
Depends on: 965048
(Assignee)

Updated

5 years ago
Depends on: 965049
(Assignee)

Updated

5 years ago
Depends on: 965051
(Assignee)

Updated

5 years ago
Depends on: 965063
(Assignee)

Updated

5 years ago
Depends on: 965066
(Assignee)

Updated

5 years ago
Depends on: 965067
(Assignee)

Updated

5 years ago
Depends on: 965071
(Assignee)

Updated

5 years ago
Depends on: 965081
(Assignee)

Comment 3

5 years ago
Created attachment 8367030 [details] [review]
https://github.com/mozilla/popcorn.webmaker.org/pull/434

First crack at adding CSP to popcorn. Lots of blockers to fix up first!
(Assignee)

Updated

5 years ago
Blocks: 906743

Comment 4

5 years ago
Can you assign this one to me please as well?! Trying to be involved with all components.

Updated

5 years ago
Depends on: 981352

Updated

5 years ago
Depends on: 981354
(Assignee)

Comment 5

5 years ago
Comment on attachment 8367030 [details] [review]
https://github.com/mozilla/popcorn.webmaker.org/pull/434

I have a better idea; want to review my code? :)
Attachment #8367030 - Flags: review?(admix.snurnikov)
(Assignee)

Updated

5 years ago
Assignee: nobody → jon
Status: NEW → ASSIGNED

Comment 6

5 years ago
I'm not sure why, but I can't change the flag (I think I don't have permissions). Anyways, I think for now it's r-, because 2 more blocks should be fixed, for the proper implementation. The other thing is, that the browser console gives warnings on "not using the report-uri" policy.
(Assignee)

Updated

5 years ago
Attachment #8367030 - Flags: review?(admix.snurnikov) → review-
(Assignee)

Updated

5 years ago
Attachment #8367030 - Flags: review- → review?(admix.snurnikov)

Comment 7

5 years ago
Comment on attachment 8367030 [details] [review]
https://github.com/mozilla/popcorn.webmaker.org/pull/434

Looks like almost everything is fine. Except, when you are adding new objects to the project (google map, wikipedia), new scripts load:

"https://en.wikipedia.org" - wikipedia (all languages needed)
"https://mts0.googleapis.com" - google map api

Also, if we can format CSP with in the same way it formatted in other components, to other format like this one. So that they look consistent everywhere. (the same for events-webmaker:) )
Attachment #8367030 - Flags: review?(admix.snurnikov) → review-
Mentor: jon
Whiteboard: [mentor=jbuck]
Popcorn Maker is no longer under active development.

https://learning.mozilla.org/blog/product-update-for-appmaker-and-popcorn-maker
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.