Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Trusted Types and other security related headers to the UI #1344

Open
travjenkins opened this issue Oct 30, 2024 · 0 comments
Open

Add Trusted Types and other security related headers to the UI #1344

travjenkins opened this issue Oct 30, 2024 · 0 comments
Labels
enhancement New feature or request Security Security Related

Comments

@travjenkins
Copy link
Member

travjenkins commented Oct 30, 2024
edited
Loading

The lists are NOT exhaustive. Only what we or Csper.io discovered.

Trusted Types

We should be really safe and start working on getting the UI to work with Trusted Types

Not 100% sure how we'll handle this yet - but we should try to make slow and steady progress.

Apache eCharts

Tooltip writes to the DOM
image

Stripe

TMLScriptElement src|https://js.stripe.com/v3
HTMLScriptElement src|https://js.stripe.com/v3/fingerprinted/j

LogRocket

This one is weird cause we have it marked in the script-src
HTMLScriptElement src|https://cdn.logr-ingest.com/logger-1.min

GTM

HTMLScriptElement src|https://www.googletagmanager.com/gtm.js?

Monaco

Worker constructor|/static/editor.worker-e9368882.js
Worker constructor|/static/json.worker-3dd12af9.js

UNKNOWNS

Given the code around it I think this is Apache eCharts
image

Cross Origin Opener

We have the header in place but Chrome is still complaining about this. Not 100% sure what it is complaining about

...
add_header Permissions-Policy "geolocation=(), microphone=(), camera=() always";
add_header Cross-Origin-Opener-Policy same-origin-allow-popups always;
add_header Content-Security-Policy "
...

OAuth Providers

Opening the pop up and communicating complains
image
@travjenkins travjenkins added the enhancement New feature or request label Oct 30, 2024
@travjenkins travjenkins changed the title Add Trusted Types to the UI Add Trusted Types and other security related headers to the UI Oct 31, 2024
@travjenkins travjenkins added the Security Security Related label Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Security Security Related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@travjenkins