05_MM_MY #24

MathisMontegnies · 2023-02-15T12:34:59Z

CSP

The rules enforced allow script, image, plus style resources to be loaded from the same origin, and Websocket connection to be established similarly.

Modified to permit inline styles to be inserted on the page and fonts to be fetched from the same origin.

Part 1: Meta

To permit the Content-Security-Policy header sent by the server to be taken into consideration.

The correct rules are now automatically served from the server upon receiving an HTTP request.

Part 2: Server-side CSP

The added script appends an HTML formatted message to the page.

Get verbose information about blocked scripts and later whitelist them.

It whitelists a single SHA256 hash for the scripts that invokes document.write().

Part 3: CSP3

Timed annotation seems to be missing, a dependency for metrics-annotation has been added.

A class that acquires the random CSP nonce from the server using the API.

To remove Typescript errors, data is now of type any with no further checks.

Now it's one of the providers and dependency injection can be used afterwards.

Now it makes use of the CspConfig service and displays the CSP nonce on the debug console.

Removed an additional closing bracket.

Part 1: Server-side

Part 2: Client-side

imm8 and others added 20 commits February 9, 2023 00:51

Enabled CSP with Meta

6cb28a2

The rules enforced allow script, image, plus style resources to be loaded from the same origin, and Websocket connection to be established similarly.

Update CSP rules

a5760f7

Modified to permit inline styles to be inserted on the page and fonts to be fetched from the same origin.

Merge pull request #1 from imm8/csp_patch_part_1_meta

1cd0f06

Part 1: Meta

Disabled CSP in Meta

39da63a

To permit the Content-Security-Policy header sent by the server to be taken into consideration.

Enabled CSP Config

5ac04e3

The correct rules are now automatically served from the server upon receiving an HTTP request.

Merge pull request #2 from imm8/csp_patch_part_1_spring

0555be7

Part 2: Server-side CSP

Inserted an Inline script

03d7cf5

The added script appends an HTML formatted message to the page.

Enable Reporting sample

159d11e

Get verbose information about blocked scripts and later whitelist them.

Enable Strict CSP

862502d

It whitelists a single SHA256 hash for the scripts that invokes document.write().

Merge pull request #3 from imm8/csp_patch_part_1_csp3

f8791f2

Part 3: CSP3

Fixed dependencies

22b1774

Timed annotation seems to be missing, a dependency for metrics-annotation has been added.

Implemented CSPResource class

0179556

Implemented CSP class

87315d8

Created CSPConfig class

6d538b2

A class that acquires the random CSP nonce from the server using the API.

Loosened type for data

02d220e

To remove Typescript errors, data is now of type any with no further checks.

Referenced CspConfig

40b4451

Now it's one of the providers and dependency injection can be used afterwards.

Created AppComponent constructor

2277661

Now it makes use of the CspConfig service and displays the CSP nonce on the debug console.

Fixed CSPResource class

58389fb

Removed an additional closing bracket.

Merge pull request #4 from imm8/csp_patch_part_2_server

f6cc778

Part 1: Server-side

Merge pull request #5 from imm8/csp_patch_part_2_client

9bad16f

Part 2: Client-side

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

05_MM_MY #24

05_MM_MY #24

MathisMontegnies commented Feb 15, 2023

05_MM_MY #24

Are you sure you want to change the base?

05_MM_MY #24

Conversation

MathisMontegnies commented Feb 15, 2023