Skip to content

Enforce CSP #551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 7, 2021
Merged

Enforce CSP #551

merged 2 commits into from
Oct 7, 2021

Conversation

aomarks
Copy link
Member

@aomarks aomarks commented Oct 7, 2021
edited
Loading

Switches our Content Security Policy from report-only mode to enforced mode.

According to our internal dashboard, it looks like CSP violation numbers dropped very sharply on October 1, which is the day #540 landed. There do seem to be a few reports coming in as recently as October 5, but if so it is a very small number. Could be due to caching? Browser extensions injecting scripts/images etc. will also cause ongoing CSP violations, that's expected behavior.

Also adds https://www.googletagmanager.com to the img-src directive, since https://developers.google.com/tag-manager/web/csp documents that this is needed, and in one page load I did actually see a violation here in local dev mode (but not consistently -- I can't reproduce it now). I guess analytics sometimes uses images for some reason.

Fixes #517

Filed #550 to track the most important improvement, which we can't do until https://bugs.chromium.org/p/chromium/issues/detail?id=1253267 is fixed.

@github-actions
Copy link

github-actions bot commented Oct 7, 2021
edited
Loading

A live preview of this PR will be available at the URL(s) below.
The latest URL will be appended to this comment on each push.
Each build takes ~5-10 minutes, and will 404 until finished.

https://pr551-f6d47fc---lit-dev-5ftespv5na-uc.a.run.app/
https://pr551-409ae8e---lit-dev-5ftespv5na-uc.a.run.app/

@AndrewJakubowicz
Copy link
Contributor

Why did the second build fail to deploy a preview site?

@aomarks
Copy link
Member Author

aomarks commented Oct 7, 2021

Why did the second build fail to deploy a preview site?

Because NPM has been down this morning. Retrying now, since I think things are back up.

@aomarks
Copy link
Member Author

aomarks commented Oct 7, 2021

Why did the second build fail to deploy a preview site?

Because NPM has been down this morning. Retrying now, since I think things are back up.

Now back up!

AndrewJakubowicz
AndrewJakubowicz approved these changes Oct 7, 2021
View reviewed changes
Copy link
Contributor

@AndrewJakubowicz AndrewJakubowicz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reviewed the entire website manually by going to (I believe) every single page, including the blog pages with youtube embed, every tutorial & every playground example.

LGTM!

@aomarks aomarks merged commit 2645cb1 into main Oct 7, 2021
@aomarks aomarks deleted the enable-csp branch October 7, 2021 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndrewJakubowicz AndrewJakubowicz AndrewJakubowicz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set up CSP policy for lit.dev
2 participants
@aomarks @AndrewJakubowicz