Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use event listener for QR-Code display in CSP compliance purpose #2103

Merged
merged 1 commit into from
Nov 16, 2024
Merged

Use event listener for QR-Code display in CSP compliance purpose #2103

merged 1 commit into from
Nov 16, 2024

Conversation

thican
Copy link

@thican thican commented Nov 7, 2024

In the objective to improve Content Security Policy (CSP) as raised in issue #1513, here a first PR targeting the QR-Code display feature.

I was only able to test it on the current release version, v0.13.0.

@nodiscc
Copy link
Member

nodiscc commented Nov 7, 2024

Hi @thican, thanks
This is an effort to help us get rid of the need to set script-src 'unsafe-inline' in CSP headers, correct?

@nodiscc nodiscc added enhancement security cleanup code cleanup and refactoring javascript client-side rendering labels Nov 7, 2024
@thican
Copy link
Author

thican commented Nov 7, 2024

Hello @nodiscc,
First thank you for your work on this project, and also for the other contributors.

You're right, my objective is to make Shaarli runs smoothly with an "hardened" CSP, such as script-src 'self'; and style-src 'self';.
I am also working on other parts of the code, because why not continue then.

However I am not a Web developer, so I might create more issues than fixing. I’ll keep you updated with new PR, or maybe a global PR to answer the issue #1513 globally.

Meanwhile, here my whole CSP (dedicated vhost):

default-src 'none'; base-uri 'self'; form-action 'self'; manifest-src 'self'; connect-src * blob:; script-src 'self'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob: https://*; media-src 'self' data: blob: https://*; object-src 'none'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals

@nodiscc nodiscc self-requested a review November 9, 2024 12:06
@nodiscc nodiscc added this to the 0.14.0 milestone Nov 9, 2024
@nodiscc nodiscc modified the milestones: 0.14.0, 0.15.0 Nov 15, 2024
nodiscc
nodiscc approved these changes Nov 16, 2024
View reviewed changes
Copy link
Member

@nodiscc nodiscc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

works fine, no console warnings
Thank you

@nodiscc nodiscc merged commit 5f54448 into shaarli:master Nov 16, 2024
8 checks passed
@thican thican mentioned this pull request Nov 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nodiscc nodiscc nodiscc approved these changes

Assignees
No one assigned
Labels
cleanup code cleanup and refactoring enhancement in review javascript client-side rendering security
Projects
None yet
Milestone
0.15.0
Development

Successfully merging this pull request may close these issues.
2 participants
@thican @nodiscc