Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Content Security Policy #8

Merged
merged 14 commits into from Nov 18, 2019
Merged

Add Content Security Policy #8

merged 14 commits into from Nov 18, 2019

Conversation

nbraud
Copy link
Contributor

@nbraud nbraud commented Nov 17, 2019

No description provided.

@nbraud nbraud requested a review from a team as a code owner November 17, 2019 13:26
@netlify
Copy link

netlify bot commented Nov 17, 2019
edited

Deploy preview for condescending-bhaskara-d5a97a ready!

Built with commit 3b175fa

https://deploy-preview-8--condescending-bhaskara-d5a97a.netlify.com

@nbraud

This comment has been minimized.

Sign in to view
@nbraud
Copy link
Contributor Author

nbraud commented Nov 17, 2019

Upstreaming in mkdocs/mkdocs#1907

@nbraud nbraud mentioned this pull request Nov 17, 2019
Open
@nbraud
Copy link
Contributor Author

nbraud commented Nov 17, 2019

How come style-src is pointing at a js file?

That URI (https://cdnjs.cloudflare.com/ajax/libs/highlight.js/) covers both Javascript and CSS files:

  • https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js
  • https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/github.min.css

@nbraud nbraud mentioned this pull request Nov 18, 2019
Merged
@nbraud
Copy link
Contributor Author

nbraud commented Nov 18, 2019

This will actually need updating, if we load more things from CDNJS.

I'll update in a moment and request a re-review :3

@nbraud
Netlify: Convert _headers file to netlify.toml
d96d528 
This is more flexible, and lets us have notations for multiline strings.
@nbraud
Add Content Security Policy, restrictive for ressource origins.
2b99c63
@nbraud
theme: Pass inline data to JS as a JSON object, not raw Javascript
ed817d9 
This avoids needing `script-src: 'unsafe-inline'` in the CSP.
@nbraud
theme: Do not use an inline script to initialize highlight.js
8e47101
@nbraud
theme: Eliminate inline CSS
2b79d8f
@nbraud
Headers/CSP: Allow images to be inlined with data: URIs
97ce9f1 
Unsure where the data: image is coming from, though...
@nbraud
theme: Make base_url global (in the JS environment)
90f102a 
This is to preserve compatibility with external scripts, like the search plugin.
@nbraud
Headers/CSP: Allow connect-src 'self' (used by search plugin)
058cc3d
@nbraud
Headers/CSP: Disallow form submissions
11a7196
@nbraud
Headers/CSP: Disallow setting the base URI (through <base>)
6f14840
@nbraud
Headers/CSP: Enable the CSP sandbox
b5ea20d
@nbraud
theme/base.js: Avoid modern JS constructs for compatibility
e387608
@nbraud nbraud requested a review from reuvenpo November 18, 2019 19:58
@nbraud
Copy link
Contributor Author

nbraud commented Nov 18, 2019

@reuvenpo Could you re-review? Here is what changed:

  • I redid the changes to use the TOML config syntax instead, so the CSP should be more readable.
  • Since we excised the binaries from the repo (and load them from CDNJS instead), I had to update the CSP to whitelist more libraries from CDNJS.

reuvenpo
reuvenpo reviewed Nov 18, 2019
View reviewed changes
netlify.toml Show resolved Hide resolved
netlify.toml Outdated Show resolved Hide resolved
netlify.toml Outdated Show resolved Hide resolved
@reuvenpo reuvenpo merged commit 53be412 into main Nov 18, 2019
@nbraud nbraud deleted the csp branch November 18, 2019 23:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reuvenpo reuvenpo reuvenpo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nbraud @reuvenpo