Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSP exceptions #63

Merged
merged 1 commit into from
Oct 20, 2024
Merged

CSP exceptions #63

merged 1 commit into from
Oct 20, 2024

Conversation

timmywil
Copy link
Member

@timmywil timmywil commented Sep 28, 2024

miscweb

  • script-src: allow 'wasm-unsafe-eval' for WebAssembly-driven search on static sites
    • See pagefind docs for more info. While the Pagefind docs say wasm-unsafe-eval was not yet supported in Safari, it seems to be now, according to MDN and caniuse. I'll double check this after deployment.
    • There is currently a proposal to add a wasm-src attribute with SRI hash validation. We should be able to add that in the future and remove the wasm-unsafe-eval.
  • img-src: allow secure.gravatar.com images for the plugins site

grunt

  • script-src: add 'unsafe-eval' exception for plugins search
    • the datatables plugin uses jQuery's eval. While later versions of jQuery switched to using script tags for eval, it would still require an unsafe-inline exception. The best solution would be to re-implement search, but that would take time.

Ref #54

@timmywil timmywil added the Service: Miscweb Static sites and redirects. label Sep 28, 2024
@timmywil timmywil requested a review from Krinkle September 28, 2024 00:38
@timmywil timmywil self-assigned this Sep 28, 2024
@timmywil timmywil changed the title miscweb: add CSP exceptions for miscweb static sites CSP exceptions Sep 28, 2024
@mgol
Copy link
Member

mgol commented Oct 7, 2024

  • the datatables plugin uses jQuery's eval. While later versions of jQuery switched to using script tags for eval, it would still require an unsafe-inline exception.

How does it work with just unsafe-eval then? unsafe-inline is stronger, but including it would defeat the purpose of using CSP.

@timmywil
Copy link
Member Author

timmywil commented Oct 8, 2024

How does it work with just unsafe-eval then?

That's what I was trying to explain. It works because the older jQuery from back when the search was written uses native eval() (and the grunt site is still on an older version of jQuery). New jQuery uses a script tag. The former needs the unsafe-eval exception; the latter needs unsafe-inline. My point was that simply upgrading jQuery doesn't fix the problem (and would require more changes and time anyway). The best fix would be to rewrite the search functionality, so I think the first step is to allow the exception for now until someone can get to the search.

Copy link
Member

@mgol mgol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I didn't notice it was just for the Grunt site.

It's an interesting aspect of our switch of globalEval from indirect eval to an inline script tag - required CSP is actually less secure in the latter.

@timmywil
Copy link
Member Author

timmywil commented Oct 9, 2024

required CSP is actually less secure in the latter

yes, in a way. But in defense of the script tag, it allows the user to theoretically set a nonce.

**miscweb**

- script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on
  bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com
- img-src: allow secure.gravatar.com images on plugins.jquery.com
- media-src: allow content.jquery.com media on podcast.jquery.com

**grunt**

- script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins
- the datatables plugin uses jQuery's eval. While later versions
  of jQuery switched to using script tags for eval, it would
  still require an  exception. The best solution
  would be to re-implement search, but that will take time.
@timmywil
Copy link
Member Author

timmywil commented Oct 20, 2024

Squashed/rebased and added an exception for podcast.jquery.com to load media (i.e. podcast audio) from content.jquery.com.

@timmywil timmywil merged commit 0bb2e32 into jquery:staging Oct 20, 2024
2 checks passed
@timmywil timmywil deleted the csp branch October 20, 2024 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Service: Gruntjscom Service: Miscweb Static sites and redirects.
Development

Successfully merging this pull request may close these issues.

3 participants