Skip to content

Commit

Permalink
Disable CSP by default (#7589)
Browse files Browse the repository at this point in the history
* effectively disable CSP by default
* Merge remote-tracking branch 'origin/master' into no-csp-default
* changelog and rm comments
* merge
* Merge branch 'master' into no-csp-default
  • Loading branch information
normanrz authored Feb 9, 2024
1 parent 1a8fb20 commit 282aeef
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 17 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.unreleased.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ For upgrade instructions, please check the [migration guide](MIGRATIONS.released

### Changed
- Datasets stored in WKW format are no longer loaded with memory mapping, reducing memory demands. [#7528](https://github.com/scalableminds/webknossos/pull/7528)
- Content Security Policy (CSP) settings are now relaxed by default. To keep stricter CSP rules, add them to your specific `application.conf`. [#7589](https://github.com/scalableminds/webknossos/pull/7589)
- WEBKNOSSOS now uses Java 21. [#7599](https://github.com/scalableminds/webknossos/pull/7599)


Expand Down
1 change: 1 addition & 0 deletions MIGRATIONS.unreleased.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ User-facing changes are documented in the [changelog](CHANGELOG.released.md).

## Unreleased
- WKW datasets can now only be read if they have a `header.wkw` file in their mag directories. If specific datasets can no longer be loaded, consider adding such a file. Backend logging should show according error message. [#7528](https://github.com/scalableminds/webknossos/pull/7528)
- Content Security Policy (CSP) settings are now relaxed by default. To keep stricter CSP rules, add them to your specific `application.conf`. [#7589](https://github.com/scalableminds/webknossos/pull/7589)
- The way the segment index is stored for nd-annotations has been changed ([#7411](https://github.com/scalableminds/webknossos/pull/7411)). Annotations with old segment indices should be
archived if they do not contain relevant data. The following SQL query can be used:
```sql
Expand Down
25 changes: 8 additions & 17 deletions conf/application.conf
Original file line number Diff line number Diff line change
Expand Up @@ -25,23 +25,14 @@ play {
# Note that the CSP filter is not enabled. We manually add this header ourselves for the
# main view, using the following config (note that currently only directives are used, not nonce or hashes)
csp.directives {
default-src = "'self'"
# In production 'unsafe-inline' should be removed as it is only needed to make the React Dev Tools work in Firefox.
# 'unsafe-eval' is needed because many libraries use some form of eval internally.
# The sha256 hash refers to the google analytics configuration script in main.scala.html.
script-src = "'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com app.olvy.co webknossos.olvy.co *.gstatic.com 'sha256-NA81o2FV8jh0UizSPsBz2qEGpXfap54Eghuo7vxrH8g='"
# 'unsafe-inline' is needed, because the olvy script uses inline CSS.
style-src = "'self' 'unsafe-inline' *.gstatic.com"
# In production ws://localhost:9002 should be removed as it is only needed to make the webpack dev-server work.
# api.github.com and gist.github.com are needed for the user script functionality.
# All external datastore URLs need to be included here, for example: *.webknossos.org demo.data1-brain.esc.rzg.mpg.de
# In addition, the host domain needs to be added as well, for example: *.webknossos.org
connect-src = "'self' ws://localhost:9002 app.olvy.co api.github.com gist.github.com *.google-analytics.com api.airbrake.io"
frame-src = "'self' webknossos.olvy.co"
# *.voxelytics.com is needed for images embedded in Voxelytics reports.
img-src = "'self' data: *.googletagmanager.com *.google-analytics.com *.voxelytics.com"
media-src = "*.webknossos.org"
font-src = "'self' data:"
default-src = "* data: mediastream: blob: filesystem: about: ws: wss: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline'"
script-src = "* data: blob: 'unsafe-inline' 'unsafe-eval'"
style-src = "'self' 'unsafe-inline' *"
connect-src = "* data: blob: 'unsafe-inline'"
frame-src = "* data: blob: "
img-src = "* data: blob: 'unsafe-inline'"
media-src = "* data: blob: 'unsafe-inline'"
font-src = "* data: blob: 'unsafe-inline'"
}
enabled += "play.filters.headers.SecurityHeadersFilter"
disabled += "play.filters.csrf.CSRFFilter"
Expand Down

0 comments on commit 282aeef

Please sign in to comment.