Skip to content

Re-add CSP, use flask-talisman #234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
epicfaace wants to merge 17 commits into
base: main
Choose a base branch
from
Open

Re-add CSP, use flask-talisman #234

epicfaace wants to merge 17 commits into from

Conversation

@epicfaace
Copy link
Contributor

@epicfaace epicfaace commented Aug 25, 2022

  • Re-add CSP, set unsafe-inline for CSS and unsafe-eval for JS to ensure the proofer functionality still works
  • Use flask-talisman to set CSP. This also sets a bunch of other best-practice security defaults like HSTS, etc. -- see https://github.com/GoogleCloudPlatform/flask-talisman

epicfaace
epicfaace commented Aug 25, 2022
View reviewed changes
@epicfaace epicfaace requested a review from akprasad August 27, 2022 21:14
@akprasad
Copy link
Contributor

akprasad commented Aug 29, 2022

Just to check, have you already looked through the docs here?

https://alpinejs.dev/advanced/csp

@epicfaace
Copy link
Contributor Author

epicfaace commented Aug 30, 2022

Just to check, have you already looked through the docs here?

https://alpinejs.dev/advanced/csp

Yes, I tried this, though 1) alpinejs-csp is not available through the cdn and you need to bundle it locally, and 2) when I did that, and did what the docs suggested around x-data, I still faced some other issues -- which I haven't resolved yet. Happy to push that branch up though.

@akprasad
Copy link
Contributor

akprasad commented Aug 30, 2022
edited
Loading

Cool, overall SGTM.

Before merge, let's resolve the outstanding conflicts. I also removed the Server API so let's just use ordinary fetches instead.

akprasad
akprasad reviewed Sep 9, 2022
View reviewed changes
ambuda/static/js/main.js
@@ -1,3 +1,3 @@
/* globals Alpine, Sanscript */

import { $ } from './core.ts';
Copy link
Contributor

@akprasad akprasad Sep 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move to line 9

Copy link
Contributor

@akprasad akprasad Sep 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, maybe my diff was out of date? lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akprasad akprasad akprasad left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@epicfaace @akprasad