Skip to content

Add 'unsafe-inline' for style-src CSP #2105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add 'unsafe-inline' for style-src CSP #2105

wants to merge 1 commit into from

Conversation

jtgeibel
Copy link
Member

@jtgeibel jtgeibel commented Jan 8, 2020

This fixes the following error seen in the console:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). format+en,default+en,ui+en,corechart+en.I.js:596:193

r? @carols10cents

@jtgeibel
Copy link
Member Author

jtgeibel commented Jan 8, 2020

I have this currently deployed in staging, and the only remaining console error appears to be from the Ember Inspector addon. That error could be resolved by adding 'unsafe-inline' to script-src as well, but that's probably unnecessary (as I have no clue what potential Ember Inspector functionality this might be blocking).

I had hoped to also remove 'unsafe-eval' from script-src, but ran into errors. The issue linked in the comment is closed and this announcment also seems to indicate that this should no longer be necessary when using Google Charts. It sounds like it should work when loading via the older jsapi, but maybe migrating to the new loader would work.

@smarnach
Copy link
Contributor

smarnach commented Jan 8, 2020

This error has been showing in the console forever, but I didn't notice any negative effect (i.e. no broken styling in the graph). The error message is not a problem by itself, so I don't think we should weaken our Content-Security-Policy header just to make this error message go away.

@jtgeibel
Copy link
Member Author

jtgeibel commented Jan 9, 2020

This error has been showing in the console forever, but I didn't notice any negative effect (i.e. no broken styling in the graph).

I agree, I'm not aware of any functional improvements here, beyond removing the error from the console.

The error message is not a problem by itself, so I don't think we should weaken our Content-Security-Policy header just to make this error message go away.

I'm not too worried about adding unsafe-inline to style-src. I would gladly trade it in place of removing the unsafe-eval from script-src, if I can get that working. I'll do some experimentation with the new loader to see if that works.

@bors
Copy link
Contributor

bors commented Feb 13, 2020

☔ The latest upstream changes (presumably #2100) made this pull request unmergeable. Please resolve the merge conflicts.

@locks locks mentioned this pull request Mar 21, 2020
Merged
@locks
Copy link
Contributor

locks commented Mar 21, 2020

I didn't manage to update the PR with the rebase so I opened a new one here #2292. Please continue discussion there!

@locks locks closed this Mar 21, 2020
bors added a commit that referenced this pull request Apr 4, 2020
@bors
Auto merge of #2292 - rust-lang:fix-csp-style-src-unsafe-inline, r=jt…
827e631 
…geibel

Add 'unsafe-inline' for style-src CSP

Replaces #2105.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Turbo87 Turbo87 Turbo87 approved these changes

Assignees

@carols10cents carols10cents

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@jtgeibel @smarnach @bors @locks @Turbo87 @carols10cents @rust-highfive