config: CSP object-src and unsafe-inline #28
Conversation
|
I think by default we should have a secure configuration, and only if you enable debug should we add the unsecure configuration. |
dinosk
force-pushed
the
60-enable-flask-debugtoolbar
branch
from
f058026 to
ac7395a
Compare
|
I was thinking the same thing, I tried adding the variable name to explain the reason for appending the config var but maybe it could be done in a more elegant way, which doesn't come to me right now. |
* ADD object-src: 'none' as suggested by the CSP evaluator tool, and default-src: 'unsafe-inline' to allow the use of Flask-DebugToolbar when running in DEBUG mode. Signed-off-by: Dinos Kousidis <[email protected]>
dinosk
force-pushed
the
60-enable-flask-debugtoolbar
branch
from
ac7395a to
1aa6bb9
Compare
|
The only issue I see is that we'll get a lot of "works on my machine, but not in production" for other things as well... Adding inline {% if app.debug %}
<script nonce="{{ csp_nonce() }}">
var DEBUG_TOOLBAR_STATIC_PATH = "{{ url_for('_debug_toolbar.static', filename='') }}";
</script>
{% endif %}(this comes from https://github.com/mgood/flask-debugtoolbar/blob/24362399645f66c82914da8b4da57f8dfcf450eb/flask_debugtoolbar/templates/base.html#L2) |
|
This is a good point, but I don't see an easy way to modify the |
|
Adding the tag only would be enough (and just let the one provided by Flask-DebugToolbar to fail because of CSP). Though I think you're right it will get complex... Let's maybe extract to another issue and postpone for another (possibly UI-related) sprint. |
and default-src: 'unsafe-inline' to allow the use of
Flask-DebugToolbar, the latter should be removed in production
deployments.
Addresses inveniosoftware/cookiecutter-invenio-instance#60
Signed-off-by: Dinos Kousidis [email protected]