Opened 2 months ago

Last modified 7 weeks ago

#21230 needs_revision enhancement

Atlas should work with a restrictive CSP policy

Reported by: cypherpunks Owned by: cypherpunks
Priority: Medium Milestone:
Component: Metrics/Atlas Version:
Severity: Normal Keywords: security, css, javascript, csp
Cc: jvoisin Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently, Atlas doesn't play nice with CSP, because it embeds css and javascript inside the html code, instead of putting them into dedicated files.

The usage of CSP would make exploitation of (potential) XSS harder.

Child Tickets

Attachments (3)

0001-Use-a-span-instead-of-an-inline-div.patch (920 bytes) - added by cypherpunks 7 weeks ago.
0002-Move-inline-CSS-to-the-stylesheet.patch (1.4 KB) - added by cypherpunks 7 weeks ago.
0003-Move-inline-JavaScript-to-a-separate-file.patch (997 bytes) - added by cypherpunks 7 weeks ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 7 weeks ago by cypherpunks

  • Owner changed from irl to cypherpunks
  • Status changed from new to assigned

I'll be picking this up.

Changed 7 weeks ago by cypherpunks

Changed 7 weeks ago by cypherpunks

comment:2 Changed 7 weeks ago by cypherpunks

  • Status changed from assigned to needs_review

I've added three patches that either move or remove inline CSS and JavaScript. The compatibility with CSP has not been tested because I can't be bothered setting up a web server. Maybe someone else can test this?

comment:3 Changed 7 weeks ago by cypherpunks

I applied the patches on my instance, with a restrictive CSP.

comment:4 Changed 7 weeks ago by irl

  • Status changed from needs_review to needs_revision

Not a review, just a quick look, but your instance gives me a bunch of errors.

Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src https://dustri.org https://*.fastly.net").

comment:5 Changed 7 weeks ago by cypherpunks

The underscore JavaScript library generates

Error: call to Function() blocked by CSP

and has been addressed in issue 906 on their bug tracker. In that issue they advise to precompile the templates to solve the error. I don't know yet what precompiling templates actually means.

Note: See TracTickets for help on using tickets.