Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes: #1679. Remove unsafe-eval directive from our CSP policy. #1682

Merged
merged 11 commits into from
Aug 1, 2017
Merged

Fixes: #1679. Remove unsafe-eval directive from our CSP policy. #1682

merged 11 commits into from
Aug 1, 2017

Conversation

miketaylr
Copy link
Member

@miketaylr miketaylr commented Jul 27, 2017
edited
Loading

This is a pretty big change to how we do templates. But it's also 1000% safer than what we currently allow.

Please don't merge yet, but feel free to comment. ready for review/merge

It also probably needs some docs updates to mention that if you ever change a template file, you'll need to re-run grunt:jst (or grunt). edit: done

miketaylr
miketaylr commented Jul 27, 2017
View reviewed changes
grunt-tasks/jst.js Outdated
// strip the opening and closing <script> tags...
// otherwise, the template functions will just inject script elements
// that won't render.
src = src.split(/\<script type=['"]text\/template['"]>/)[1];

This comment was marked as abuse.

Sign in to view

This comment was marked as abuse.

Sign in to view

This comment was marked as abuse.

Sign in to view

This comment was marked as abuse.

Sign in to view

This comment was marked as abuse.

Sign in to view

This comment was marked as abuse.

Sign in to view

@miketaylr
Copy link
Member Author

Better than expected!

15/77 tests failed (3 skipped)

@miketaylr
Copy link
Member Author

Ah yeah, forgot about a tiny inline template in the labels code :))

Error: call to Function() blocked by CSP

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://localhost:5000 https://www.google-analytics.com https://api.github.com”). Source: call to eval() or related function blocked by CSP.

@miketaylr
Copy link
Member Author

Cool, that fixed it.

miketaylr
miketaylr commented Jul 27, 2017
View reviewed changes
webcompat/templates/issue/issue-labels-sub.jst Outdated
<%= label.name %>
</span>
<% }); %>
<script type="text/template">

This comment was marked as abuse.

Sign in to view

miketaylr
miketaylr commented Jul 27, 2017
View reviewed changes
webcompat/templates/issue/issue-labels.jst
<header class="wc-Issue-labelEditor">
<div class="wc-Issue-labelEditor-title">
Labels
</div>
{% if session.user_id and session.avatar_url %}
<% if ($("body").data("username")) { %>

This comment was marked as abuse.

Sign in to view

miketaylr
miketaylr commented Jul 27, 2017
View reviewed changes
webcompat/templates/web_modules/dropdown.html
@@ -1,3 +0,0 @@
{% macro dropdown(config) %}

This comment was marked as abuse.

Sign in to view

@miketaylr miketaylr requested review from zoepage and magsout July 27, 2017 22:46
@miketaylr miketaylr changed the title Fixes: #1679. Remove unsafe-eval directive from our CSP policy. [DO NOT MERGE] Fixes: #1679. Remove unsafe-eval directive from our CSP policy. Jul 27, 2017
@miketaylr
Copy link
Member Author

OK, tests pass and I get no new csp errors locally when messing around.

r? @zoepage
r? @magsout

@zoepage
Copy link
Member

zoepage commented Jul 28, 2017

@miketaylr that is really impressing. I went through the files and everything looks great on first glance including build & tests. But I'd like to take more time, to understand everything. Hope, this is ok.

@miketaylr
Copy link
Member Author

(oops, forgot to push docs commit)

miketaylr
miketaylr commented Jul 28, 2017
View reviewed changes
webcompat/templates/home-page/browse-issues.html
<% } %>
</script>
</div>
{% include "web_modules/issue-list.jst" %}

This comment was marked as abuse.

Sign in to view

@miketaylr
Copy link
Member Author

Just so it's not lost, here's an explanation of what this PR is trying to achieve:

#1682 (comment)

miketaylr
miketaylr commented Jul 28, 2017
View reviewed changes
webcompat/static/js/lib/labels.js Outdated
].join("")
),
// relavant parts in issue/issue-labels.jst
subTemplate: wcTmpl["issue/issue-lables-sub.jst"],

This comment was marked as abuse.

Sign in to view

@zoepage
Copy link
Member

zoepage commented Jul 31, 2017

@miketaylr The performance improvement is really impressive! :)

I found a few small issues:

CSP issue:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://localhost:5000 https://www.google-analytics.com https://api.github.com”). Source: onfocusin attribute on DIV element.

Labels:

The placeholder for label is shown. When a label is added, it's not shown until a reload is fired manually. (See screenshots)

screen shot 2017-07-31 at 2 36 47 pm

screen shot 2017-07-31 at 2 37 04 pm

Anchor

http://localhost:5000/#contribute anchor directs not to the correct place as the issues are loaded later (from the all issues list on the index).

@miketaylr
Copy link
Member Author

@zoepage thanks for digging around and finding those issues! That onfocusin one I'm 99% sure is just your adblocker or lastpass or similar. If you try it in a new profile that error won't be there. Will take a closer look at the rest.

@miketaylr
Copy link
Member Author

OK, fixed the label editor issue (which also uncovered another small bug) and filed a follow up for the #contribute link (because that also exists in production): #1688

Just need to fix this package.json conflict.

Mike Taylor added 6 commits July 31, 2017 14:33
Issue #1679. Inline html includes into jst templates, and remove redu…
5206012 
…ndant files as a result.

Unfortunately the pre-compiled template approach won't let us rely on the jinja2 parser
to do interesting things with JS templates.
Issue #1679. DRY: the diagnosis section of the homepage, and both sec…
e0cf9c4 
…tions of my issues should use the same issue template.
Issue #1679. Rename tmpl to jst (to match configs), and use shorter p…
727f56a 
…ath for convenience.
Issue #1679. Remove 'unsafe-eval' from script-src directive of CSP po…
5f4df15 
…licy.
Issue #1679. Move subTemplate inline template into its own jst file.
a28e01d
Issue #1679. Update dev-env-setup.md to mention the need to re-build …
fa64824 
…after modifying .jst templates.
@zoepage
Copy link
Member

zoepage commented Jul 31, 2017

Sweet! Thank you :)

@miketaylr
Copy link
Member Author

I just deployed this branch to staging if anyone wants to poke at it some more. Otherwise, will probably merge tomorrow.

@zoepage
Copy link
Member

zoepage commented Aug 1, 2017
edited
Loading

On stage (after posting an issue). Not just google analytics gets blocked but also the github api?

Things work, but just wanted to make you aware of this, IF this is an issue. :)

screen shot 2017-08-01 at 11 36 16 am

screen shot 2017-08-01 at 12 22 18 pm

Also the function for the flash message ("Thank you for reporting, wanna share?") gets blocked, if I saw that right?

@zoepage zoepage mentioned this pull request Aug 1, 2017
Closed
zoepage
zoepage approved these changes Aug 1, 2017
View reviewed changes
Copy link
Member

@zoepage zoepage left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, after fixing the flash messaged things should be good. :)

@miketaylr
Copy link
Member Author

Things work, but just wanted to make you aware of this, IF this is an issue. :)

Investigating...

@miketaylr
Copy link
Member Author

Investigating...

Yeah oops. Forgot about one last inline template. Fixed now!

@miketaylr
Copy link
Member Author

💣s away... thanks for review @karlcow @zoepage!

@miketaylr miketaylr merged commit 2d77c21 into master Aug 1, 2017
@miketaylr miketaylr deleted the issues/1679/1 branch August 1, 2017 16:49
@snyk-bot snyk-bot mentioned this pull request Nov 18, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karlcow karlcow karlcow left review comments

@zoepage zoepage zoepage approved these changes

@magsout magsout Awaiting requested review from magsout

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@miketaylr @zoepage @karlcow