Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content-Security-Policy: add strict csp headers and use a nonce #97

Merged
merged 20 commits into from
Oct 9, 2024
Merged

Content-Security-Policy: add strict csp headers and use a nonce #97

merged 20 commits into from
Oct 9, 2024

Conversation

abhiramtilakiiit
Copy link
Contributor

@abhiramtilakiiit abhiramtilakiiit commented Sep 11, 2024
edited
Loading

Need for Changes

  • The latest google lighthouse report has shown how we allow unsafe-inline styles and
    basically have no CSP in place.

According to nextjs docs it is recommended to add these headers to the middleware and wherever
needed (when external scripts or inline scripts are being called), add the nonce instead
to uniquely generate a nonce everytime the page loads.

  • Since we are using MUI, their docs, instruct
    addind nonce to the ThemeRegistry using aa cache provider. (Update: We are having to use unsafe-inline because some MUI components use inline styles (mui github: issues/19938), we will remove this if it gets fixed upstream sometime).

Changes

  • I have added some strict headers and made some changes so the redirects also return these headers.
  • I have included the nonce in the ThemeRegistry style tag, and the subsequent CacheProvider to cache it out.
  • I have added *.iiit.ac.in, as a white list to <iframe> as long as it is being displayed in the iiit website.

Todo

  • There are some instances where CSP errors out, please pay close attention to the browser console.

abhiramtilakiiit and others added 17 commits September 12, 2024 00:06
@abhiramtilakiiit
Content-Security-Policy: add strict csp headers and use a nonce
99aa1fe
@abhiramtilakiiit
Content-Security-Policy: add iiit main website in iframe whitelist
e58666c
@bhavberi
Merge branch 'master' into scp
e564e24
@bhavberi
Merge branch 'master' into scp
00afe00
@bhavberi
Fixed some icons are not loading
af83532
@bhavberi
Allow icons to load from different sources
489f2c6
@bhavberi @abhiramtilakiiit
Minor Variable name change for better understanding
fcefd84
@bhavberi @abhiramtilakiiit
Redirect to the correct url between clubs and student-bodies
87a62bd
@bhavberi @abhiramtilakiiit
Simplify Gallery Images Bugger View, and added loading for images
5cb921f 
Helps in Google Indexing, as otherwise it treats /gallery and /gallery?img=index as different pages
@bhavberi @abhiramtilakiiit
Reduce showImage function
32145a5
@Dileepadari @abhiramtilakiiit
placeholder animation added for the images.
cc7690f
@bhavberi @abhiramtilakiiit
Minor change
b245938
@bhavberi @abhiramtilakiiit
Apply Prettier Formatting Fixes
eb53200
@abhiramtilakiiit
handle merge conflicts: when rebasing the scp
8469869
@bhavberi
Merge branch 'master' into scp
f560387
@bhavberi
Enable styled components
1a2fe6c
@bhavberi
Use unsafe-inline with styles (mui/material-ui#19938)
d2074f1
@Dileepadari Dileepadari self-assigned this Oct 4, 2024
@bhavberi bhavberi added the security can related to authorization of pages and content label Oct 4, 2024
Dileepadari
Dileepadari approved these changes Oct 9, 2024
View reviewed changes
Copy link
Member

@Dileepadari Dileepadari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, testing with different components done, can be merged.

@Dileepadari Dileepadari merged commit 09dfad0 into master Oct 9, 2024
2 checks passed
@Dileepadari Dileepadari deleted the scp branch October 9, 2024 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Dileepadari Dileepadari Dileepadari approved these changes

@bhavberi bhavberi bhavberi approved these changes

@v15hv4 v15hv4 Awaiting requested review from v15hv4

Assignees

@Dileepadari Dileepadari

Labels
security can related to authorization of pages and content
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@abhiramtilakiiit @bhavberi @Dileepadari