use a content-security-policy in development #2142
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
We might not need the headers in |
|
I was thinking the same thing. Will think about it. |
|
Yeah, it's certainly optional for us to add them to vercel.json, but I also figure why not (apart from the hot mess of importing the JSON file when loading the Vite config). My thinking was, if we see some regular usage out of that, that's more incidental testing on the CSP... but I don't know if we get bug reports about the console preview. |
|
Still looking through all the values but I think this is good. I don't see any errors, everything seems fine. Good idea using the vercel config as the single source of truth. |
vite.config.ts
Outdated
| preview: { | ||
| headers: headers, | ||
| }, |
There was a problem hiding this comment.
oh, lol, this was me testing to see if prettier or eslint would fix this (it apparently didn't)
|
Do we have some way of knowing that the Playwright tests are actually using this header? (Does it use Vite to spin up the server?) |
|
One thing I probably want to do is find a way in the code itself to comment on each of the values and why they are what they are. It looks like we can't convert vercel.json to .jsonc and we probably can't jam comments in there, so I might add it as a markdown thing in the docs dir. |
|
I believe we can pretty easily assert in playwright about the headers on a response. I'll try that now. And yes, the tests run against the dev server both in CI and locally: Lines 48 to 51 in f1e8f2e |
|
The vite doc says:
I assume that's relevant in production — maybe we don't need to bother with the nonce at all in local dev? |
|
Yes, that's primarily relevant for production. The reason I went ahead and randomized it for each config load is so that someone can't add a The real purpose of
(from https://csp-evaluator.withgoogle.com/) But we could pretty easily have Nexus generate a nonce, if we want. I guess we wouldn't be able to apply the correct nonce in vercel.json though. |
|
I suppose how that would look is:
I haven't yet researched if that breaks any browser addons. |
|
Ok, I think the placeholder thing makes more sense than what we have now, but I suspect, as you say, I'm thinking of adding more explanation to the doc of why we're doing this client-side. How close is this? Do you think there is much of a direct security problem we're solving? The only attack vector I can think of is a malicious npm dependency.
|
|
I don't believe we're solving a security problem directly by putting the CSP here, so your writeup is correct to me. The primary reason for starting here is to catch issues early (and before we turn it on in Nexus, where clickjacking/XSS/etc are far more of a potential threat). Given that the Playwright tests run against the dev server, I definitely want to keep the nonce setup in non-production mode; the alternative is that we must allow |
| @@ -1,6 +1,19 @@ | |||
| { | |||
| "buildCommand": "API_MODE=msw npm run build && cp mockServiceWorker.js dist/", | |||
| "buildCommand": "API_MODE=msw npm run build && cp mockServiceWorker.js dist/ && npx patch-package --reverse", | |||
There was a problem hiding this comment.
Added this because I added more content to an existing patch in a commit, which made Vercel break. Turns out it caches your node_modules at the end of the run, and patch-package only knows not to apply a patch if it's entirely applied.
ds300/patch-package#37 has some related chatter.
Also, a much simpler patch to react-remove-scroll should be possible and have the same effect, without removing the offending code from our bundle, if a smaller patch is preferred: diff --git a/node_modules/react-remove-scroll/dist/es2015/UI.js b/node_modules/react-remove-scroll/dist/es2015/UI.js
index 26c94a8..5991c96 100644
--- a/node_modules/react-remove-scroll/dist/es2015/UI.js
+++ b/node_modules/react-remove-scroll/dist/es2015/UI.js
@@ -26,7 +26,7 @@ var RemoveScroll = React.forwardRef(function (props, parentRef) {
});
RemoveScroll.defaultProps = {
enabled: true,
- removeScrollBar: true,
+ removeScrollBar: false,
inert: false,
};
RemoveScroll.classNames = { |
|
I just remembered that I need to verify that WebSockets (serial console) still work... |
|
The console websocket works fine with this CSP on Firefox. To-spec source matching was apparently wrong in WebKit (Safari) until two years ago. Not sure what Safari versions we consider supported? https://bugs.webkit.org/show_bug.cgi?id=235873 Unfortunately there appear to be some inline styles in xterm.js that I'll need to hunt down. I didn't realize that was in a separate bundle. |
|
If we want this to land in R8, we should add 'unsafe-inline' back to style-src, I think (and do the same over on the Omicron PR). Getting xterm.js to play nicely will take a bit more time than the patches above did. |
|
I think that makes sense. Everything else is a big improvement on the status quo. |
|
Cool. I'll get that done today so we can land it! |
|
Think it's worth getting rid of the patches and redoing them later? Keeps things cleaner here. |
This reverts commit 06e13cd.
|
Personally I'd like to keep them so we can see if/when they break with upstream changes? I don't think the behavior we're patching out is something we really want anyway. Unless the reason they're pulled in (e.g. radix-ui) are being dropped at some point. |
|
Yeah, that's fine. We'll see conflicts if we bump the dep and it conflicts with changes they've made. |
oxidecomputer/console@c008d36...d2a9345 * [d2a9345f](oxidecomputer/console@d2a9345f) oxidecomputer/console#2142 * [2b6d0f7b](oxidecomputer/console@2b6d0f7b) oxidecomputer/console#2185 * [e649e7b7](oxidecomputer/console@e649e7b7) oxidecomputer/console#2170 * [0f4bed01](oxidecomputer/console@0f4bed01) oxidecomputer/console#2180 * [06f4b868](oxidecomputer/console@06f4b868) oxidecomputer/console#2167 * [a25e84e8](oxidecomputer/console@a25e84e8) oxidecomputer/console#2166 * [629c94a6](oxidecomputer/console@629c94a6) oxidecomputer/console#2168
oxidecomputer/console@c008d36...d2a9345 * [d2a9345f](oxidecomputer/console@d2a9345f) oxidecomputer/console#2142 * [2b6d0f7b](oxidecomputer/console@2b6d0f7b) oxidecomputer/console#2185 * [e649e7b7](oxidecomputer/console@e649e7b7) oxidecomputer/console#2170 * [0f4bed01](oxidecomputer/console@0f4bed01) oxidecomputer/console#2180 * [06f4b868](oxidecomputer/console@06f4b868) oxidecomputer/console#2167 * [a25e84e8](oxidecomputer/console@a25e84e8) oxidecomputer/console#2166 * [629c94a6](oxidecomputer/console@629c94a6) oxidecomputer/console#2168
In preparation for adding
content-security-policyand other security headers to console endpoints in Nexus, we can add them here too to ensure they're applied when developing / running tests / etc.The base headers are defined in
vercel.jsonand then imported intovite.config.tsto avoid repeating them.The
content-security-policyis based on the recommendation by the OWASP Secure Headers Project (click the "Best Practices" tab). I am still tweaking this as I look at other sites for recommendations, but I wanted to see if this breaks any tests. The directives:default-src 'self': By default, restrict all resources to same-origin.style-src 'unsafe-inline' 'self': Restrict CSS to same-origin and inline use. We've fixed a number of these issues as part of this PR but we still have some, so we'll track those in Tracking: removestyle-src: 'unsafe-inline'from CSP #2183.frame-src 'none': Disallow nested browsing contexts (<frame>and<iframe>).object-src 'none': Disallow<object>and<embed>.form-action 'none': Disallow submitting any forms with anactionattribute (none of our forms appear to be the traditional kind and instead use events).frame-ancestors 'none': Disallow embedding this site with things like<iframe>; used to prevent click-jacking attacks.In development mode, an additional
script-srcCSP directive is added which references a randomly-generated nonce. Vite injects this in the generated index.html so that the dev-mode scripts can load. We do this instead of allowing'unsafe-inline'because I'm not sure whether tests run against dev bits or not, and this helps get dev builds much closer to production.Also set are
x-content-type-options: nosniffandx-frame-options: DENY.It would be nice to write tests (both vitest and playwright?) that verify this header is set in those environments so we know we're actually testing the CSP.