Opened 19 months ago

Closed 9 months ago

#21230 closed enhancement (wontfix)

Work with a restrictive CSP policy

Reported by: cypherpunks Owned by: irl
Priority: Medium Milestone:
Component: Metrics/Relay Search Version:
Severity: Normal Keywords: security, css, javascript, csp, metrics-2017
Cc: jvoisin Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently, Atlas doesn't play nice with CSP, because it embeds css and javascript inside the html code, instead of putting them into dedicated files.

The usage of CSP would make exploitation of (potential) XSS harder.

Child Tickets

Attachments (3)

0001-Use-a-span-instead-of-an-inline-div.patch (920 bytes) - added by cypherpunks 19 months ago.
0002-Move-inline-CSS-to-the-stylesheet.patch (1.4 KB) - added by cypherpunks 19 months ago.
0003-Move-inline-JavaScript-to-a-separate-file.patch (997 bytes) - added by cypherpunks 19 months ago.

Download all attachments as: .zip

Change History (15)

comment:1 Changed 19 months ago by cypherpunks

Owner: changed from irl to cypherpunks
Status: newassigned

I'll be picking this up.

Changed 19 months ago by cypherpunks

Changed 19 months ago by cypherpunks

comment:2 Changed 19 months ago by cypherpunks

Status: assignedneeds_review

I've added three patches that either move or remove inline CSS and JavaScript. The compatibility with CSP has not been tested because I can't be bothered setting up a web server. Maybe someone else can test this?

comment:3 Changed 19 months ago by cypherpunks

I applied the patches on my instance, with a restrictive CSP.

comment:4 Changed 19 months ago by irl

Status: needs_reviewneeds_revision

Not a review, just a quick look, but your instance gives me a bunch of errors.

Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src https://dustri.org https://*.fastly.net").

comment:5 Changed 19 months ago by cypherpunks

The underscore JavaScript library generates

Error: call to Function() blocked by CSP

and has been addressed in issue 906 on their bug tracker. In that issue they advise to precompile the templates to solve the error. I don't know yet what precompiling templates actually means.

comment:6 Changed 15 months ago by cypherpunks

The developer answered on the aforementioned ticket; apparently, one option is to use lodash-cli, with something like lodash template="./*.jst" settings="{interpolate:/\{\{([sS]+?)\}\}/g}".

He recommended to ask on their gitter chat for more information.

comment:7 Changed 11 months ago by karsten

Summary: Atlas should work with a restrictive CSP policyWork with a restrictive CSP policy

Simplify summary.

comment:8 Changed 11 months ago by karsten

Keywords: metrics-2018 added

comment:9 Changed 11 months ago by karsten

Keywords: metrics-2017 added; metrics-2018 removed

comment:10 Changed 9 months ago by irl

Owner: changed from cypherpunks to irl
Status: needs_revisionassigned

Moving this into my queue.

comment:11 Changed 9 months ago by irl

Status: assignedaccepted

comment:12 Changed 9 months ago by irl

Resolution: wontfix
Status: acceptedclosed

After merging with metrics-web we would probably have to redo this. I'm going to mark this as wontfix for now. If there are specific issues that can be fixed in order to progress towards this goal, then we can keep those around, as long as they would still apply after merging with metrics-web.

Note: See TracTickets for help on using tickets.