Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable CSP by default #7589

Merged
merged 5 commits into from
Feb 9, 2024
Merged

Disable CSP by default #7589

merged 5 commits into from
Feb 9, 2024

Conversation

normanrz
Copy link
Member

@normanrz normanrz commented Jan 25, 2024

#7367 and #7450 added CSP support to WEBKNOSSOS. For our production and hosted dev instances this is a win for security. However, for dev purposes (e.g. in a local network) and our open-source users, this adds substantial friction. This PR proposes to effectively disable CSP by default. We'll of course keep stricter rules for our hosted instances.

Happy to discuss and hear your feedback.


(Please delete unneeded items, merge only when none are left open)

Copy link
Member

@daniel-wer daniel-wer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can follow the reasoning 👍

Could you open a PR in the kube repository adapting the config for our dev instances and wk.org. The comments that are no longer relevant for the application.conf could also be moved there (the ones concerning the dev setup can be removed of course).

@bulldozer-boy bulldozer-boy bot merged commit 282aeef into master Feb 9, 2024
2 checks passed
@bulldozer-boy bulldozer-boy bot deleted the no-csp-default branch February 9, 2024 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants