Work with a restrictive CSP policy

Currently, Atlas doesn't play nice with CSP, because it embeds css and javascript inside the html code, instead of putting them into dedicated files.

The usage of CSP would make exploitation of (potential) XSS harder.

added component::metrics/relay search csp css javascript metrics-2017 owner::irl priority::medium resolution::wontfix security severity::normal status::closed type::enhancement labels

I'll be picking this up.

Trac:
Owner: irl to cypherpunks
Status: new to assigned

Trac:
0001-Use-a-span-instead-of-an-inline-div.patch

Trac:
0002-Move-inline-CSS-to-the-stylesheet.patch

Trac:
0003-Move-inline-JavaScript-to-a-separate-file.patch

I've added three patches that either move or remove inline CSS and JavaScript. The compatibility with CSP has not been tested because I can't be bothered setting up a web server. Maybe someone else can test this?

Trac:
Status: assigned to needs_review

I applied the patches on my instance, with a restrictive CSP.

Not a review, just a quick look, but your instance gives me a bunch of errors.

Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src https://dustri.org https://*.fastly.net").

Trac:
Status: needs_review to needs_revision

The underscore JavaScript library generates

Error: call to Function() blocked by CSP

and has been addressed in issue 906 on their bug tracker. In that issue they advise to precompile the templates to solve the error. I don't know yet what precompiling templates actually means.

The developer answered on the aforementioned ticket; apparently, one option is to use lodash-cli, with something like lodash template="./*.jst" settings="{interpolate:/\{\{([sS]+?)\}\}/g}".

He recommended to ask on their gitter chat for more information.

Simplify summary.

Trac:
Summary: Atlas should work with a restrictive CSP policy to Work with a restrictive CSP policy

Trac:
Keywords: N/A deleted, metrics-2018 added

Trac:
Keywords: metrics-2018 deleted, metrics-2017 added

Moving this into my queue.

Trac:
Owner: cypherpunks to irl
Status: needs_revision to assigned

Trac:
Status: assigned to accepted

After merging with metrics-web we would probably have to redo this. I'm going to mark this as wontfix for now. If there are specific issues that can be fixed in order to progress towards this goal, then we can keep those around, as long as they would still apply after merging with metrics-web.

Trac:
Status: accepted to closed
Resolution: N/A to wontfix

closed