Support adding module-specific resource hosts to more CSP directives #996
Conversation
labkey-adam
requested review from
Sigmonia,
cnathe,
labkey-jeckels,
labkey-klum,
labkey-matthewb and
labkey-willm
|
@labkey-willm How do we deal with branching/versions of this file. Do we need to leave ${LABKEY.ALLOWED.CONNECTIONS} so we don't break on images with versions of LK from previous branches? |
as Stuart said in chat, "when the change is merged to the server repo, new PR's will be created in DockerFile and syseng-chef-server repos. As long as we don't merge the syseng-chef-server change until after 25.2 is deployed, we should be ok. We will need to merge the syseng-chef-server PR before we we do our first 25.3 deployment." |
| object-src 'none' ; /* These tags are not currently used by LKS */\ | ||
| style-src 'self' 'unsafe-inline' ; /* We currently have a few inline <style> tags that we are weeding out */\ | ||
| style-src 'self' 'unsafe-inline' ${STYLE.SOURCES} ; /* We currently have a few inline <style> tags that we are weeding out */\ | ||
| img-src 'self' data: ; /* Limit image loading locations */\ |
There was a problem hiding this comment.
I will be surprised if we don't end up fielding a request to customize img-src at some point.
There was a problem hiding this comment.
Yep, probably. It will be very easy to add more directives in follow-on PRs... perhaps even the UI one coming up. I was mostly focused on getting the infrastructure in place and tested, and resolving immediate failures caused by the recent CSP changes (ReactJS hot reloading, CDS tests, etc.).
Rationale
Modules need the ability to allow specific font, style, frame, etc. hosts that they require
Related Pull Requests