Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #1010 #1020

Merged
merged 3 commits into from
Sep 2, 2019
Merged

Fix #1010 #1020

merged 3 commits into from
Sep 2, 2019

Conversation

ParkourKarthik
Copy link
Contributor

@ParkourKarthik ParkourKarthik commented Aug 25, 2019

Short description of what this resolves:

Resolves security issues with content security policy

Changes proposed in this pull request:

Added content security policy for webviews

Fixes: #1010

How Has This Been Tested?

Verified that there is no view mismatch and console error logs.

Screenshots (if appropriate):

Checklist:

  • I have read the contribution guidelines.
  • My change requires a change to the documentation and GitHub Wiki.
  • I have updated the documentation and Wiki accordingly.

@ParkourKarthik
Copy link
Contributor Author

@shanalikhan I've just modified the first page. Verify that if it is ok to update other pages similarly.
On your confirmation, I'll be updating the other Webviews accordingly within this PR.
I do have several doubts below:

  1. To explicitly set values for different sources?
  2. Is it safe to use 'unsafe-inline'? If not what is preferred, nonce or moving the inline scripts out if possible?

@shanalikhan
Copy link
Owner

To explicitly set values for different sources?

Can you explain it.

Is it safe to use 'unsafe-inline'?

Yes lets keep this as of now unless code gives warnings or logs in console :)

Feel free to improve other webviews as well.

@ParkourKarthik
Copy link
Contributor Author

ParkourKarthik commented Aug 26, 2019

I mean, right now I've set values to the default-src directive which serves as a fallback of other directives such as script-src, style-src, img-directive, etc.
For example, I've set 'unsafe-inline' in default-src which is to enable inline scripts in the code which is applicable in this landing page. But, this value would be a fallback value for other directives as well which may affect the security in some cases (I'm not sure though).

To explicitly set script-src 'unsafe-inline' would be better and more specific. I think that would be the preferred way as well.

@ParkourKarthik
Copy link
Contributor Author

I've updated the webviews as required. You can verify and merge the changes.

@shanalikhan shanalikhan added this to the v3.4.3 milestone Aug 28, 2019
@shanalikhan shanalikhan merged commit 8c9a534 into shanalikhan:v3.4.3 Sep 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants