-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Content Security Policy headers to all jQuery content sites #54
Comments
Prevent future regressions. Ref #3. Ref jquery/infrastructure-puppet#54
This also depends on jquery/jquery-wp-content#463 Also, the nginx changes are only being deployed to staging atm. |
@timmywil Of the three changed roles, only grunt has staging. It seems https://stage.gruntjs.com/ is now down. I guess an nginx syntax error? |
After consulting the docs, I don't see anything obviously wrong with the syntax. Instead, I think the issue has to do with the grunt site's use of |
@timmywil That didn't seem to bring the site back. I tried logging into the droplet, to check its puppet log and nginx error, but it's not responding to SSH. Looks like something on 22 Aug (two days before your first patch). Could it be a coincidence? |
I've rebooted the instance and the site is now back up. Investigation at #60 (unrelated to this). |
With the merging of jquery/jquery-wp-content#463, all staging sites (and all non-wordpress prod sites) now have CSP report headers. The next step will be to test all these sites and fix their issues. Once we've addressed any issues, we can deploy the report-only headers to production. We'll then test all the production sites. Then, we'll switch to real CSP headers. Non-wordpress sites
Wordpress staging sites
|
@timmywil It seems even after #61, Firefox still reports the following console warning:
Looking the HTTP response:
This doesn't contain the relevant change. Looking at the server:
So it has protected itself by keeping the server running with the previous configuration for now. |
Sorry about that. I'll look into it. |
I think it's just a missing semicolon |
**miscweb** - script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com - img-src: allow secure.gravatar.com images on plugins.jquery.com - media-src: allow content.jquery.com media on podcast.jquery.com **grunt** - script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins - the datatables plugin uses jQuery's eval. While later versions of jQuery switched to using script tags for eval, it would still require an exception. The best solution would be to re-implement search, but that will take time. Ref #54 Closes gh-63
I just noticed I missed an Edit: PR merged at #68 |
Proposed header value
This should be tested with a report header first
The text was updated successfully, but these errors were encountered: