coop-cloud/karrot
coop-cloud
/
karrot
0
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases Wiki Activity

Add CSP config #8

New Issue
Open
opened 2023-10-26 10:09:14 +00:00 by nicksellen · 0 comments
nicksellen commented 2023-10-26 10:09:14 +00:00
Member
Copy Link

This is the CSP header from karrot.world:

content-security-policy
	default-src 'self'; script-src 'self' 'unsafe-eval'; connect-src 'self' wss://karrot.world https://nominatim.openstreetmap.org https://firebaseinstallations.googleapis.com https://fcmregistrations.googleapis.com https://sentry.io https://*.ingest.sentry.io blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' https: data: blob:; report-uri https://o68809.ingest.sentry.io/api/1249808/security/?sentry_key=5c7a0f337fbe4e9ca8626f0e203a2569&sentry_environment=karrot-world;

It needs to be configured based on configuration variables though, we currently generate it from an ansible task (see 26e36067c4/roles/karrot-backend/tasks/main.yml (L32-L67)).

The firebase/fcm is going away soon (next karrot release has replaced that with web push implementation).

The report URI should be a configuration option, and only be included if present.

I think the script unsafe-eval can go away now too (given https://github.com/karrot-dev/karrot-frontend/issues/2522).

I'm not sure why the unsafe-inline for style-src is there, potentially not needed now.

This is the CSP header from karrot.world: ``` content-security-policy default-src 'self'; script-src 'self' 'unsafe-eval'; connect-src 'self' wss://karrot.world https://nominatim.openstreetmap.org https://firebaseinstallations.googleapis.com https://fcmregistrations.googleapis.com https://sentry.io https://*.ingest.sentry.io blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' https: data: blob:; report-uri https://o68809.ingest.sentry.io/api/1249808/security/?sentry_key=5c7a0f337fbe4e9ca8626f0e203a2569&sentry_environment=karrot-world; ``` It needs to be configured based on configuration variables though, we currently generate it from an ansible task (see https://github.com/karrot-dev/yuca/blob/26e36067c42290481a654bf42dc79646c3e249cc/roles/karrot-backend/tasks/main.yml#L32-L67). The firebase/fcm is going away soon (next karrot release has replaced that with web push implementation). The report URI should be a configuration option, and only be included if present. I _think_ the script `unsafe-eval` can go away now too (given https://github.com/karrot-dev/karrot-frontend/issues/2522). I'm not sure why the `unsafe-inline` for style-src is there, potentially not needed now.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
change/use-new-docker-images
mail
dev
1.1.0+14.1.0
1.0.0+14.0.1
0.1.10+13.0.0
0.1.9+13.0.0
0.1.8+13.0.0
0.1.5+0.1.4
0.1.4+0.1.3
0.1.3+0.1.3
0.1.2+0.1.2
0.1.0+0.1.0
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/karrot#8
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?