Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add more fine-grained CSP support #3724

Merged
merged 1 commit into from
Sep 8, 2021
Merged

feat: add more fine-grained CSP support #3724

merged 1 commit into from
Sep 8, 2021

Conversation

janl
Copy link
Member

@janl janl commented Sep 2, 2021
edited
Loading

This introduces CSP settings for attachments and show/list funs and
streamlines the configuration with the existing Fauxton CSP options.

Deprecates the old [csp] enable and [csp] header_value config
options, but they are honoured going forward.

They are replaced with [csp] utils_enable and [csp] utils_header_value
respectively. The funcitonality and default values remain the same.

In addition, these new config options are added, along with their
default values:

[csp]
attachments_enable = true
attachments_header_value = sandbox
showlist_enable = true
showlist_header_value = sandbox

These add Content-Security-Policy headers to all attachment requests
and to all non-JSON show and all list function responses.

Co-authored-by: Nick Vatamaniuc [email protected]
Co-authored-by: Robert Newson [email protected]

Checklist

@janl janl force-pushed the feat/csp-for-attachments branch 2 times, most recently from d043396 to 3c20cc2 Compare September 2, 2021 10:38
nickva
nickva approved these changes Sep 2, 2021
View reviewed changes
Copy link
Contributor

@nickva nickva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 with a few minor nits in tests

@janl
Copy link
Member Author

janl commented Sep 8, 2021

Thanks Nick, should be all addressed

@janl @nickva @rnewson
feat: add more fine-grained CSP support
d7c40ca 
This introduces CSP settings for attachments and show/list funs and
streamlines the configuration with the existing Fauxton CSP options.

Deprecates the old `[csp] enable` and `[csp] header_value` config
options, but they are honoured going forward.

They are replaced with `[csp] utils_enable` and `[csp] utils_header_value`
respectively. The funcitonality and default values remain the same.

In addition, these new config options are added, along with their
default values:

```
[csp]
attachments_enable = true
attachments_header_value = sandbox
showlist_enable = true
showlist_header_value = sandbox
```

These add `Content-Security-Policy` headers to all attachment requests
and to all non-JSON show and all list function responses.

Co-authored-by: Nick Vatamaniuc <[email protected]>
Co-authored-by: Robert Newson <[email protected]>
@janl janl merged commit 64281c0 into 3.x Sep 8, 2021
@janl janl deleted the feat/csp-for-attachments branch September 8, 2021 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickva nickva nickva approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@janl @nickva