Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content security policy clean #1565

Merged
merged 11 commits into from
Aug 25, 2020
Merged

Content security policy clean #1565

merged 11 commits into from
Aug 25, 2020
+11 −11

Conversation

maxmarkus
Copy link
Contributor

@maxmarkus maxmarkus commented Aug 14, 2020
edited
Loading

Resolves #1458

We accepted unsafe-inline for style-src as a potential risk, since we rely on some inline styles for configurable sizes like modals.

<meta
    http-equiv="Content-Security-Policy"
    content="default-src 'self' ;
    script-src 'self'  ;
    style-src 'self' 'unsafe-inline' ;
    img-src data:" />

@maxmarkus maxmarkus added security/high Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0 security always set in addition to specific security severity label, since github filtering is lacking OR labels Aug 14, 2020
@ndricimrr ndricimrr self-assigned this Aug 14, 2020
@maxmarkus maxmarkus mentioned this pull request Aug 14, 2020
Closed
@JohannesDoberer JohannesDoberer added this to the Sprint 12 milestone Aug 17, 2020
@JohannesDoberer JohannesDoberer self-assigned this Aug 17, 2020
@ndricimrr
Copy link
Contributor

ndricimrr commented Aug 20, 2020
edited
Loading

Seems to work fine for solving the "unsafe-eval" csp issue. It seems like it doesn't solve the 'unsafe-inline' issue.
Similar Results for the examples as well:
Screenshot 2020-08-20 at 16 42 50

That would mean we have to link this PR to the unsafe-eval issue instead and continue and work on the unsafe-inline one afterwards.

@ndricimrr ndricimrr linked an issue Aug 21, 2020 that may be closed by this pull request
Investigate CSP unsafe-eval for Luigi Core #1458
Closed
ndricimrr
ndricimrr approved these changes Aug 21, 2020
View reviewed changes
Copy link
Contributor

@ndricimrr ndricimrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@maxmarkus maxmarkus merged commit 4b134fc into SAP:master Aug 25, 2020
@maxmarkus maxmarkus deleted the 1449-content-security-policy-clean branch August 25, 2020 11:51
JohannesDoberer added a commit to JohannesDoberer/luigi that referenced this pull request Aug 25, 2020
@JohannesDoberer
Merge branch 'master' into featureToggle
27caaea 
* master:
  Docu: Examples for client lifecycle api (SAP#1561)
  Content security policy clean (SAP#1565)

# Conflicts:
#	client/src/lifecycleManager.js
#	docs/luigi-client-api.md
@ndricimrr ndricimrr mentioned this pull request Aug 27, 2020
Closed
@ndricimrr ndricimrr mentioned this pull request Sep 9, 2020
Merged
stanleychh pushed a commit to stanleychh/luigi that referenced this pull request Dec 30, 2021
@maxmarkus
Content security policy clean (SAP#1565)
e42aeb1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JohannesDoberer JohannesDoberer JohannesDoberer approved these changes

@ndricimrr ndricimrr ndricimrr approved these changes

@alexandra-simeonova alexandra-simeonova Awaiting requested review from alexandra-simeonova

@hardl hardl Awaiting requested review from hardl hardl is a code owner

@stanleychh stanleychh Awaiting requested review from stanleychh

@UlianaMunich UlianaMunich Awaiting requested review from UlianaMunich

Assignees

@JohannesDoberer JohannesDoberer

@ndricimrr ndricimrr

Labels
security/high Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0 security always set in addition to specific security severity label, since github filtering is lacking OR
Projects
None yet
Milestone
Sprint 12
Development

Successfully merging this pull request may close these issues.

Investigate CSP unsafe-eval for Luigi Core
4 participants
@maxmarkus @ndricimrr @JohannesDoberer @UlianaMunich