Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(frontend-canister)!: default secure configuration for assets in frontend project template #2359

Merged
merged 24 commits into from
Dec 21, 2022
Merged

feat(frontend-canister)!: default secure configuration for assets in frontend project template #2359

merged 24 commits into from
Dec 21, 2022

Conversation

smallstepman
Copy link
Contributor

@smallstepman smallstepman commented Jul 19, 2022
edited
Loading

Description

blocked by:

Closes https://dfinity.atlassian.net/browse/SDK-473
Closes https://dfinity.atlassian.net/browse/PSEC-710

How Has This Been Tested?

e2e

Checklist:

  • The title of this PR complies with Conventional Commits.
  • I have edited the CHANGELOG accordingly.
  • I have made corresponding changes to the documentation.

@smallstepman smallstepman changed the title placeholder .ic-assets.json files for node starter project asset feat: default security HTTP headers for assets in node starter project Jul 19, 2022
@smallstepman
Copy link
Contributor Author

smallstepman commented Aug 8, 2022
edited
Loading

@robin-kunzler @eduard-dfinity here is a little script so you can test things on your end.

git clone https://github.com/dfinity/sdk sdk_sec_headers
cd sdk_sec_headers
git checkout SDK-473-default-security-headers
cargo run -- new sec_headers
cd sec_headers/
cargo run --manifest-path ../Cargo.toml -- start --clean --background
cargo run --manifest-path ../Cargo.toml -- deploy
FE_CAN_ID=$(cargo run --manifest-path=../Cargo.toml -- canister id sec_headers_frontend)
open "http://127.0.0.1:8000/?canisterId=${FE_CAN_ID}"
curl --head "http://127.0.0.1:8000/index.js?canisterId=${FE_CAN_ID}"
curl --head "http://127.0.0.1:8000/main.css?canisterId=${FE_CAN_ID}"

Output

The headers are loaded as expected, and to my untrained eye, everything is working also in the browser.

HTTP/1.1 200 OK
content-type: application/javascript
ic-certificate: ic-certificate: certificate=:.....:, tree=:....:
content-security-policy: default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' https://ic0.app https://*.ic0.app;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;
x-content-type-options: nosniff
x-frame-options: DENY
referrer-policy: same-origin
strict-transport-security: max-age=31536000; includeSubDomains
x-xss-protection: 1; mode=block
permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()
etag: "................"
content-length: 628071
date: Mon, 08 Aug 2022 11:21:12 GMT

HTTP/1.1 200 OK
content-type: text/css
ic-certificate: certificate=:.....:, tree=:....:
content-security-policy: default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' https://ic0.app https://*.ic0.app;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;
referrer-policy: same-origin
x-xss-protection: 1; mode=block
x-frame-options: DENY
x-content-type-options: nosniff
permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()
strict-transport-security: max-age=31536000; includeSubDomains
etag: "................"
content-length: 537
date: Mon, 08 Aug 2022 11:21:12 GMT

@ghost
Copy link

ghost commented Aug 17, 2022

Hey @smallstepman sorry for the late reply. I've reviewed the PR, everything looks good to me: headers are correct and I haven't seen any CSP violation or other errors in the browser.

btw, it would be nice to have a FOLLOW ticket for the http security headers comments so we can track its progress, would you mind creating it in your side?

@smallstepman smallstepman changed the title feat: default security HTTP headers for assets in node starter project feat(frontend-canister): default security HTTP headers for assets in node starter project Aug 23, 2022
@smallstepman smallstepman marked this pull request as ready for review August 24, 2022 11:36
@smallstepman smallstepman requested a review from a team as a code owner August 24, 2022 11:36
@smallstepman smallstepman changed the title feat(frontend-canister): default security HTTP headers for assets in node starter project feat(frontend-canister): default security HTTP headers & HTTP redirects for assets in node starter project Aug 24, 2022
@smallstepman smallstepman marked this pull request as draft August 24, 2022 11:55
@smallstepman smallstepman changed the title feat(frontend-canister): default security HTTP headers & HTTP redirects for assets in node starter project feat(frontend-canister): secure HTTP headers & HTTP redirects for assets in default node starter project Aug 24, 2022
@smallstepman smallstepman mentioned this pull request Aug 29, 2022
Merged
3 tasks
@smallstepman smallstepman changed the title feat(frontend-canister): secure HTTP headers & HTTP redirects for assets in default node starter project feat(frontend-canister)!: secure HTTP headers & HTTP redirects for assets in default node starter project Dec 20, 2022
@smallstepman smallstepman marked this pull request as ready for review December 20, 2022 17:28
ericswanson-dfinity
ericswanson-dfinity reviewed Dec 20, 2022
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@smallstepman
Copy link
Contributor Author

smallstepman commented Dec 21, 2022
edited
Loading

@ericswanson-dfinity please suggest a better PR name

secure configuration for assets in default frontend canister starter project

?

(I'll modify the changelog header too)

@ericswanson-dfinity
Copy link
Member

@ericswanson-dfinity please suggest a better PR name

secure configuration for assets in default frontend canister starter project

?

(I'll modify the changelog header too)

What you put in the changelog looks good

default secure configuration for assets when creating a new frontend project
or
default secure configuration for assets in frontend project template

@smallstepman smallstepman changed the title feat(frontend-canister)!: secure HTTP headers & HTTP redirects for assets in default node starter project feat(frontend-canister)!: default secure configuration for assets in frontend project template Dec 21, 2022
@smallstepman
Copy link
Contributor Author

I like the second one better

@smallstepman
Copy link
Contributor Author

ready for re-review @ericswanson-dfinity

ericswanson-dfinity
ericswanson-dfinity reviewed Dec 21, 2022
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@ericswanson-dfinity
Update CHANGELOG.md
7189a69 
Co-authored-by: Eric Swanson <[email protected]>
@smallstepman smallstepman enabled auto-merge (squash) December 21, 2022 21:05
@smallstepman smallstepman merged commit d953826 into master Dec 21, 2022
@smallstepman smallstepman deleted the SDK-473-default-security-headers branch December 21, 2022 21:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericswanson-dfinity ericswanson-dfinity ericswanson-dfinity approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smallstepman @ericswanson-dfinity