Opened 5 months ago

Last modified 4 weeks ago

#21230 needs_revision enhancement

Atlas should work with a restrictive CSP policy

Reported by: cypherpunks Owned by: cypherpunks
Priority: Medium Milestone:
Component: Metrics/Atlas Version:
Severity: Normal Keywords: security, css, javascript, csp
Cc: jvoisin Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Currently, Atlas doesn't play nice with CSP, because it embeds css and javascript inside the html code, instead of putting them into dedicated files.

The usage of CSP would make exploitation of (potential) XSS harder.

Child Tickets

Attachments (3)

0001-Use-a-span-instead-of-an-inline-div.patch (920 bytes) - added by cypherpunks 5 months ago.
0002-Move-inline-CSS-to-the-stylesheet.patch (1.4 KB) - added by cypherpunks 5 months ago.
0003-Move-inline-JavaScript-to-a-separate-file.patch (997 bytes) - added by cypherpunks 5 months ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 5 months ago by cypherpunks

  • Owner changed from irl to cypherpunks
  • Status changed from new to assigned

I'll be picking this up.

Changed 5 months ago by cypherpunks

Changed 5 months ago by cypherpunks

comment:2 Changed 5 months ago by cypherpunks

  • Status changed from assigned to needs_review

I've added three patches that either move or remove inline CSS and JavaScript. The compatibility with CSP has not been tested because I can't be bothered setting up a web server. Maybe someone else can test this?

comment:3 Changed 5 months ago by cypherpunks

I applied the patches on my instance, with a restrictive CSP.

comment:4 Changed 5 months ago by irl

  • Status changed from needs_review to needs_revision

Not a review, just a quick look, but your instance gives me a bunch of errors.

Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src https://*").

comment:5 Changed 5 months ago by cypherpunks

The underscore JavaScript library generates

Error: call to Function() blocked by CSP

and has been addressed in issue 906 on their bug tracker. In that issue they advise to precompile the templates to solve the error. I don't know yet what precompiling templates actually means.

comment:6 Changed 4 weeks ago by cypherpunks

The developer answered on the aforementioned ticket; apparently, one option is to use lodash-cli, with something like lodash template="./*.jst" settings="{interpolate:/\{\{([sS]+?)\}\}/g}".

He recommended to ask on their gitter chat for more information.

Note: See TracTickets for help on using tickets.