Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Content Security Policy #497

Merged
merged 7 commits into from
Dec 11, 2020
Merged

Conversation

RobinDaugherty
Copy link
Member

@RobinDaugherty RobinDaugherty commented Dec 11, 2020

Add our own Content Security Policy headers when Better Errors responds, which heavily restricts the resources that can be used/referenced, but allows our scripts and styles. It uses a nonce for the script blocks, but currently we rely on inline style because of the way syntax highlighting works (which will change someday, for example in #423).

Turbolinks (of course)

When Turbolinks is in use, our headers are not evaluated by the browser when loading the console page. If the CSP headers sent by the application restrict inline CSS and JS, the console will not function or be presented correctly.

So we also provide fallback modes, where the user is informed of the reason and given a link to open Better Errors in a new tab. This fallback includes the topmost frame infomation, so essentially the same information as the "text" version is available on the page, even if not well-formatted.

When inline style is available but inline script is not:
Screen Shot 2020-12-11 at 1 43 21 PM

When inline style is not available but script is:
Screen Shot 2020-12-11 at 1 48 54 PM

When both are not available:
Screen Shot 2020-12-11 at 1 42 40 PM

@RobinDaugherty RobinDaugherty force-pushed the feature/content-security-policy branch from 01a7c8d to b9d9ab7 Compare December 11, 2020 19:01
@coveralls
Copy link

coveralls commented Dec 11, 2020

Pull Request Test Coverage Report for Build 416094686

  • 21 of 23 (91.3%) changed or added relevant lines in 3 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.06%) to 96.899%

Changes Missing Coverage Covered Lines Changed/Added Lines %
lib/better_errors/error_page.rb 15 17 88.24%
Totals Coverage Status
Change from base Build 396793693: 0.06%
Covered Lines: 500
Relevant Lines: 516

💛 - Coveralls

@RobinDaugherty RobinDaugherty changed the title Add Content Security Policy and fall back when JS/CSS are not working Add Content Security Policy Dec 11, 2020
@RobinDaugherty RobinDaugherty merged commit 4f58080 into master Dec 11, 2020
@RobinDaugherty RobinDaugherty deleted the feature/content-security-policy branch December 11, 2020 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants