Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CSP headers #230

Merged
merged 6 commits into from
Jun 4, 2024
Merged

Add CSP headers #230

merged 6 commits into from
Jun 4, 2024

Conversation

cstns
Copy link
Contributor

@cstns cstns commented Apr 30, 2024

Description

Take CSP into consideration and allows the editor to be embedded

Related Issue(s)

related to: #3801
part of: #3800

Checklist

  • I have read the contribution guidelines
  • Suitable unit/system level tests have been added and they pass
  • Documentation has been updated
    • Upgrade instructions
    • Configuration details
    • Concepts
  • Changes flowforge.yml?
    • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
    • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production

Labels

  • Backport needed? -> add the backport label
  • Includes a DB migration? -> add the area:migration label

@cstns cstns requested a review from joepavitt April 30, 2024 18:16
@cstns cstns self-assigned this Apr 30, 2024
@cstns cstns changed the title wip csp Add CSP headers Apr 30, 2024
@cstns cstns marked this pull request as draft April 30, 2024 18:19
knolleary
knolleary reviewed May 1, 2024
View reviewed changes
lib/runtimeSettings.js Outdated Show resolved Hide resolved
@cstns
Copy link
Contributor Author

cstns commented May 1, 2024

We may even be able to allow them to self configure and overwrite the config if needed.

The less config needed to be done by the end user, the better!

@joepavitt
Copy link
Contributor

@cstns now that you're back from holiday - what's the status on this?

@cstns
Copy link
Contributor Author

cstns commented May 8, 2024

Not looking good. Spoke with @hardillb about it and it seems it's the oauth lib that we're using is causing the issues. I also stumbled across jaredhanson/passport#938 in which the author seems to take his hands of the wheel

@joepavitt joepavitt mentioned this pull request May 8, 2024
Closed
@cstns cstns force-pushed the allow-the-editor-to-be-embedded-csp branch from 2d48f25 to f9fab17 Compare June 3, 2024 14:18
@cstns cstns requested review from knolleary and hardillb and removed request for joepavitt June 3, 2024 14:32
@cstns cstns marked this pull request as ready for review June 3, 2024 14:32
knolleary
knolleary requested changes Jun 4, 2024
View reviewed changes
lib/runtimeSettings.js Outdated
},
httpAdminCookieOptions: {
sameSite: 'None',
secure: true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This breaks the editor on localfs where https is not setup. We should only be setting this flag if the core app is setup for https.

This can be tested for using settings.forgeURL as we do in the core app: https://github.com/FlowFuse/flowfuse/blob/3d7af2a8d4c1eb52ca4ef750d316251da45c57be/forge/routes/auth/index.js#L175

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, something else is going wrong - I cannot login to the editor at all, even with all three of the cookie options commented out.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hitting an unrelated issue introduced by #232 - will get that fixed first, then retest with these changes.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've fixed the other issue via #240.

Now, back to this one - I can confirm that having any of these three values set will break accessing the editor with localfs. So rather than just guarding the secure flag, all three should only be set if forgeURL starts https.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was a big oversight on my end, thank you for spotting it!

@cstns cstns requested a review from knolleary June 4, 2024 14:07
@knolleary knolleary merged commit fdea052 into main Jun 4, 2024
5 checks passed
@knolleary knolleary deleted the allow-the-editor-to-be-embedded-csp branch June 4, 2024 14:58
@knolleary
Copy link
Member

Argh - merged too quick - broken settings file.

@cstns
Copy link
Contributor Author

cstns commented Jun 4, 2024

can we stop the deployment?

@knolleary knolleary mentioned this pull request Jun 4, 2024
Merged
@knolleary
Copy link
Member

@cstns it won't get as far as production as we don't automatically update stacks - so no panic there.

Fixed via #241

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knolleary knolleary knolleary approved these changes

@hardillb hardillb Awaiting requested review from hardillb

Assignees

@cstns cstns

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cstns @joepavitt @knolleary