Skip to content

[NEW] Content-Security-Policy for inline scripts #20724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sampaiodiego merged 7 commits into from
Jun 20, 2021
Merged

[NEW] Content-Security-Policy for inline scripts #20724

sampaiodiego merged 7 commits into from
Jun 20, 2021

Conversation

@ggazzo
Copy link
Member

@ggazzo ggazzo commented Feb 12, 2021
edited
Loading

Closes #19815

Proposed changes (including videos or screenshots)

Security policies were applied for inline scripts cases. Due to the libraries and components we use it is not possible to disable inline styles and images as they would break Oembeds and other libraries.

basically the inline scripts were moved to a js file

and besides that some suggars syntax like addScript and addStyle were added, this way the application already takes care of inserting the elements and providing the content automatically.

Issue(s)

Steps to test or reproduce

Further comments

@ggazzo ggazzo force-pushed the csp branch 2 times, most recently from 7d5cc94 to 79c59f4 Compare June 4, 2021 16:21
@ggazzo ggazzo changed the title CSP wip [NEW] Content-Security-Policy for inline scripts Jun 4, 2021
@RocketChat RocketChat deleted a comment from lgtm-com bot Jun 4, 2021
@ggazzo ggazzo requested review from a team and removed request for a team June 4, 2021 16:38
@ggazzo ggazzo marked this pull request as ready for review June 4, 2021 16:41
@ggazzo ggazzo requested review from a team June 4, 2021 16:42
@ggazzo ggazzo added this to the 3.16.0 milestone Jun 9, 2021
sampaiodiego
sampaiodiego requested changes Jun 17, 2021
View reviewed changes
@ggazzo ggazzo requested a review from sampaiodiego June 20, 2021 05:44
@sampaiodiego sampaiodiego merged commit ee8e2fa into develop Jun 20, 2021
@sampaiodiego sampaiodiego deleted the csp branch June 20, 2021 18:33
@sampaiodiego sampaiodiego mentioned this pull request Jun 28, 2021
Merged
@Shailesh351 Shailesh351 mentioned this pull request Jul 15, 2021
Merged
@nmagedman nmagedman mentioned this pull request Jul 26, 2021
Closed
@DocDocTeam
Copy link

DocDocTeam commented Aug 16, 2021

Updated to 3.16. There was an error Content-Security-Policy
"Refused to load the script 'https://lib.usedesk.ru/secure.usedesk.ru/widget_111111.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."

While disabled in the general settings Content-Security-Policy.
The documentation is empty https://github.com/RocketChat/docs/blob/master/guides/administration/administration/settings/setup-wizard.md

  1. You write "basically the inline scripts were moved to a js file" - in which one?
  2. How do I whitelist my script?

@DocDocTeam DocDocTeam mentioned this pull request Aug 17, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sampaiodiego sampaiodiego sampaiodiego approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.16.0

Development

Successfully merging this pull request may close these issues.

Not possible to set an effective Content-Security-Policy (CSP) because of in-line content

4 participants

@ggazzo @DocDocTeam @sampaiodiego