Webpacker and CSP #1057
Comments
|
I have a pretty strict CSP policy for some time in my app, using Webpacker and React. React does not need any other special config that I can think of. |
|
@renchap are you using Action Cable? I've tested in an app and looks like we need to whitelist |
headers options is now configurable from webpacker.yml so we can update it with CSP headers. |
|
@gauravtiwari I'm going to test it and report results back |
@guilleiguaran Don't think it applies for angular 4 |
|
All examples work with:
This is needed for angular # Define an application-wide content security policy
# For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Rails.application.config.content_security_policy do |p|
p.default_src :self, :https
p.font_src :self, :https, :data
p.img_src :self, :https, :data
p.object_src :none
p.script_src :self, :https, :unsafe_eval
p.style_src :self, :https, :unsafe_inline
p.connect_src :self, :https, 'http://localhost:3035', 'ws://localhost:3035'
# Specify URI for violation reports
# p.report_uri "/csp-violation-report-endpoint"
end
# Report CSP violations to a specified URI
# For further information see the following documentation:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
# Rails.application.config.content_security_policy_report_only = true # webpacker.yml
headers:
'Access-Control-Allow-Origin': '*'
'Content-Security-Policy': "script-src 'self' 'unsafe-eval'; connect-src 'self' ws://localhost:3035 http://localhost:3035"
'X-Content-Security-Policy': "script-src 'self' 'unsafe-eval'; connect-src 'self' ws://localhost:3035 http://localhost:3035"
'X-WebKit-CSP': "script-src 'self' 'unsafe-eval'; connect-src 'self' ws://localhost:3035 http://localhost:3035" |
|
Latest docs are here: https://angular.io/guide/security#content-security-policy |
|
made an example app here: https://github.com/gauravtiwari/webpacker-5.2-csp |
|
For my Rails 5.2/React app, I simply needed to change use |
|
@gauravtiwari I think the best we can do for Angular case is document as I did for Vue, linking to the official docs, wdyt? |
|
Ok, I did a bit more of research for Angular and found this issue: angular/angular#11939 As angular/angular#11939 (comment) comments, the solution is to use AoT compiler instead of default JIT compiler. I've found this webpack plugin to use AoT compiler, we can try it and see how it goes: https://www.npmjs.com/package/@ngtools/webpack |
|
@guilleiguaran Documentation sounds good to me. The plugin is pretty specific to Angular and since we ship support for other libs this will be redundant if someone is using say React. Lets document this as an alternative if folks don't want to use See: https://www.npmjs.com/package/@ngtools/webpack#usage (it's asking for angular entry module) What do you think? |
|
@gauravtiwari wdyt about adding it along with the other dependencies in angular installer: https://github.com/rails/webpacker/blob/master/lib/install/angular.rb#L13 and then mention it in the README (and maybe we can add a small example of how to do it). We can then mention to |
|
Makes sense although I am bit worried if this might confuse people since it's going to be incomplete setup (half installer and half documentation). It would be much clearer if we document the whole thing instead and let people decide no? |
|
@gauravtiwari Sounds good, let's document all of it 👍 |
|
Cool 👍 |
|
Added docs about Angular in a61f8fe |
|
About |
|
@guilleiguaran Seems to work fine, added an example here: gauravtiwari/webpacker-5.2-csp@83a7eb0 |
For dev server bit, we add it by default right? https://github.com/gauravtiwari/webpacker-5.2-csp/blob/master/config/webpacker.yml#L53 |
|
is the yml configuration enough or do we need to add it to Rails initializer anyway??
…Sent from my iPhone
On Dec 8, 2017, at 11:55, Gaurav Tiwari ***@***.***> wrote:
dev server requires allowing ws://localhost:3035 and http://localhost:3035 as connect-src
For dev server bit, we add it by default right? https://github.com/gauravtiwari/webpacker-5.2-csp/blob/master/config/webpacker.yml#L53
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I guess we need it in both places. |
|
During my tests having it in Rails initializer was enough to fix the problem.
I think the reason is that those headers are important only when the content served is an HTML document (since it includes other elements), so it doesn’t apply for the typical usage cases of webpack-dev-server (except if you’re using an html-loader)
…Sent from my iPhone
On Dec 8, 2017, at 13:15, Gaurav Tiwari ***@***.***> wrote:
I guess we need it in both places.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Ahh yes that's correct, my bad :) |
|
Think we can close this one then? |
|
Let's document I'll check on Rails side to see if we can provide a way to provide to third-party libraries to append values to the CSP directives. |
|
Added note about webpack-dev-server in: a61f8fe |
Get rid of console warnings: rails/webpacker#1057 /content_security_policy.rb
I'm opening this to keep track of the issues found when trying to use webpacker along with new Rails 5.2 CSP DSL.
cheap-eval-source-mapdevtool can't be used withunsafe-eval, Fixed: Switch config.devtool from cheap-eval-source-map to cheap-module-source-map #1046ws://localhost:3035andhttp://localhost:3035asconnect-src__webpack_nonce__?, referenceunsafe-eval, reference, documented in 57540aeThe text was updated successfully, but these errors were encountered: