Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce content security policy (CSP) #29545

Merged
merged 12 commits into from
Feb 1, 2019
Merged

Introduce content security policy (CSP) #29545

merged 12 commits into from
Feb 1, 2019
+193 −13

Commits on Jan 31, 2019

  1. csp: nonce and unsafe-eval for scripts 

    To kick things off, a rudimentary CSP implementation only allows
dynamically loading new JavaScript if it includes an associated nonce
that is generated on every load of the app.

A more sophisticated content security policy is necessary, particularly
one that bans eval for scripts, but one step at a time.
    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    9f40321 View commit details
    Browse the repository at this point in the history

  2. img-src is not necessary if the goal is not to restrict

    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    d993433 View commit details
    Browse the repository at this point in the history

  3. configurable CSP owned by security team

    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    c92b482 View commit details
    Browse the repository at this point in the history

  4. smoke test

    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    20b1714 View commit details
    Browse the repository at this point in the history

  5. remove x-content-security-policy

    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    876ddf6 View commit details
    Browse the repository at this point in the history

  6. document csp.rules

    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    d8b6af7 View commit details
    Browse the repository at this point in the history

  7. Merge remote-tracking branch 'upstream/master' into csp2

    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    3dce3c9 View commit details
    Browse the repository at this point in the history

  8. fix tsconfig for test

    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    be59cf9 View commit details
    Browse the repository at this point in the history

  9. switch integration test back to regular js

    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    86ae1d3 View commit details
    Browse the repository at this point in the history

  10. stop looking for tsconfig in test

    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    9d82aeb View commit details
    Browse the repository at this point in the history

  11. grrr, linting errors not caught by precommit

    @epixa
    epixa committed Jan 31, 2019
    Configuration menu
    Copy the full SHA
    06c39d9 View commit details
    Browse the repository at this point in the history

Commits on Feb 1, 2019

  1. docs: people -> you for consistency sake 

    Co-Authored-By: epixa <court@epixa.com>
    @legrego @epixa
    legrego and epixa authored Feb 1, 2019
    Configuration menu
    Copy the full SHA
    c5f9f3d View commit details
    Browse the repository at this point in the history