CSP blocks event browser resources from loading #1346
Comments
That has changed in current 2.4.0 and follow-up 2.4.1 release: Currently the script tags look like this, as seen on https://ecommerce.arkademy.dev/res: <!DOCTYPE html>
<html>
<head>
<title>RubyEventStore::Browser</title>
<meta
name="ruby-event-store-browser-settings"
content='{"rootUrl":"https://ecommerce.arkademy.dev/res","apiUrl":"https://ecommerce.arkademy.dev/res/api","resVersion":"2.4.1"}'
/>
</head>
<body>
<script type="text/javascript" src="/res/ruby_event_store_browser.js"></script>
<script type="text/javascript" src="/res/bootstrap.js"></script>
</body>
</html>Would that still be an issue? |
|
For reference: #1062 |
|
Brilliant, thanks! I'll upgrade |
|
Apologies for not checking my Gem version, should have been first port of call. The upgrade sort of works! The JS is allowed and loads the events, but CSS is blocked because it's all inline and we have a strict
It's not the end of the world though, I can browse the events still. Just takes me back to 1999 😅 |
|
I'll look into CSS issue (coming from https://github.com/rtfeldman/elm-css) |
#1346 That should highlight issues quicker.
Typed CSS is nice and also not needing to think about CSS output was nice. However it's a dead end with Content-Security-Policy. Our aim with Browser is to be as compatible with various apps as possible so it was limiting Browser adoption too much. rtfeldman/elm-css#569 (comment) rtfeldman/elm-css#570 (comment) https://arkency.slack.com/files/U025BA51D/F03LJ1UPZQV/audio_clip__2022-06-22_01_11_39_.m4a Previous idea with nonce that did not work out: https://arkency.slack.com/archives/C7B95EW3V/p1655828630714969 Related: https: //github.com//issues/1346 Co-authored-by: Szymon Fiedler <[email protected]>
|
Elm-css and nonces turned out to be a dead end. I've brought back external stylesheet and that would definitely work with inline-styles disabled via CSP. |
|
Fixed and released in v2.5.0 |
|
Thanks so much! |
Context
We have quite a strict CSP for security reasons. We enable it in dev too to make sure we don't deploy code that doesn't work due to CSP issues. Part of this CSP configuration is using
nonced: trueon all inline JavaScript. This seems pretty standard for modern frontend security.The issue is that the RES Browser uses an un-nonced inline JavsaScript tag. This means the app doesn't load.
We have other apps with significant frontend JS (eg BetterErrors) work fine. I'm not sure what they're doing differently.
Workaround
My workaround is to build a simple event view using our admin tools for now.
Potential Solution
I think the issue would be fixed if the main entrypoint to Elm wasn't inlined but rather was pulled from the server like the other JS files. Rails seems to have no issue with the other sources listed in the page as I believe everything served from the host is considered fine.
IE it's that second script tag that is the issue
Environment
We are on Rails 7.x, recently upgraded from Rails 6.x so our app is very 6-ish.
CSP Policy
From when run locally, hence the references to
localhostand.testChangelog
Edit 14:30
Worked out the issue was the nonce rather than source list, updated issue accordingly.
The text was updated successfully, but these errors were encountered: