Opened 9 months ago

Last modified 4 weeks ago

#21230 needs_revision enhancement

Work with a restrictive CSP policy

Reported by: cypherpunks Owned by: cypherpunks
Priority: Medium Milestone:
Component: Metrics/Atlas Version:
Severity: Normal Keywords: security, css, javascript, csp, metrics-2017
Cc: jvoisin Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently, Atlas doesn't play nice with CSP, because it embeds css and javascript inside the html code, instead of putting them into dedicated files.

The usage of CSP would make exploitation of (potential) XSS harder.

Child Tickets

Attachments (3)

0001-Use-a-span-instead-of-an-inline-div.patch (920 bytes) - added by cypherpunks 9 months ago.
0002-Move-inline-CSS-to-the-stylesheet.patch (1.4 KB) - added by cypherpunks 9 months ago.
0003-Move-inline-JavaScript-to-a-separate-file.patch (997 bytes) - added by cypherpunks 9 months ago.

Download all attachments as: .zip

Change History (12)

comment:1 Changed 9 months ago by cypherpunks

Owner: changed from irl to cypherpunks
Status: newassigned

I'll be picking this up.

Changed 9 months ago by cypherpunks

Changed 9 months ago by cypherpunks

comment:2 Changed 9 months ago by cypherpunks

Status: assignedneeds_review

I've added three patches that either move or remove inline CSS and JavaScript. The compatibility with CSP has not been tested because I can't be bothered setting up a web server. Maybe someone else can test this?

comment:3 Changed 9 months ago by cypherpunks

I applied the patches on my instance, with a restrictive CSP.

comment:4 Changed 9 months ago by irl

Status: needs_reviewneeds_revision

Not a review, just a quick look, but your instance gives me a bunch of errors.

Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src https://dustri.org https://*.fastly.net").

comment:5 Changed 9 months ago by cypherpunks

The underscore JavaScript library generates

Error: call to Function() blocked by CSP

and has been addressed in issue 906 on their bug tracker. In that issue they advise to precompile the templates to solve the error. I don't know yet what precompiling templates actually means.

comment:6 Changed 5 months ago by cypherpunks

The developer answered on the aforementioned ticket; apparently, one option is to use lodash-cli, with something like lodash template="./*.jst" settings="{interpolate:/\{\{([sS]+?)\}\}/g}".

He recommended to ask on their gitter chat for more information.

comment:7 Changed 5 weeks ago by karsten

Summary: Atlas should work with a restrictive CSP policyWork with a restrictive CSP policy

Simplify summary.

comment:8 Changed 4 weeks ago by karsten

Keywords: metrics-2018 added

comment:9 Changed 4 weeks ago by karsten

Keywords: metrics-2017 added; metrics-2018 removed
Note: See TracTickets for help on using tickets.