Changing to semantic CSP injection #131
Conversation
Instead of simply injecting some additional entries into the default-src of the csp, we now properly parse it and add the specific constraints that we care about. In particular, we make sure to preserve any previous constraints, but we allow websocket connections to 'self' and blob urls for images.
|
Hi @MSLaguana, I'm your friendly neighborhood Microsoft Pull Request Bot (You can call me MSBOT). Thanks for your contribution!
TTYL, MSBOT; |
| // Note we replace "default-src 'self'" with "default-src 'self' ws:" (in Content Security Policy) so that | ||
| // websocket connections are allowed (this relies on a custom version of send that supports a 'transform' option). | ||
| // Note we add "connect-src 'self' ws:" and "img-src 'blob:' (in Content Security Policy) so that | ||
| // websocket connections are allowed and the camera plugin works (this relies on a custom version |
There was a problem hiding this comment.
What do you mean that the camera plugin works? Is there any issue with that?
There was a problem hiding this comment.
My understanding is that the camera plugin works by providing blob: URLs, and that's the reason for adding it to the CSP.
There was a problem hiding this comment.
Thanks for the clarification.
| var metaTagRegex = /<\s*meta[^>]*>/g; | ||
| var cspRegex = /http-equiv\s*=\s*(['"])Content-Security-Policy\1/; | ||
| var cspContent = /(content\s*=\s*")([^"]*)"/; | ||
| var maxCspTagLength = 1024; |
There was a problem hiding this comment.
Maybe this could be declared only once at module level,
/**
* Some doc if we need to clarify something.
* @const
*/
var MAX_CSP_TAG_LENGTH = 1024;
|
Looks good to me! thanks! |
Instead of simply injecting some additional entries into the default-src of the csp, we now properly parse it and add the specific constraints that we care about. In particular, we make sure to preserve any previous constraints, but we allow websocket connections to 'self' and blob urls for images.
Fixes #130