Passky-Website icon indicating copy to clipboard operation
Passky-Website copied to clipboard

Published 20 hours ago verified publisher icon Rabbit-Company

Add Subresource Integrity Generator

Open vzool opened this issue 2 years ago • 13 comments

This PR uses gulp-sri-hash plugin on a build tool called gulp to force SRI Hash on js,css files when received by html files, gulp can be installed globally with this command:

npm install --global gulp-cli

Don't forget to run npm install to update dev dependencies. gulp will update html files with recommended coding style and update SRI Hash automatically if necessary. So, for any new future changes to js,css files contents then you just need to run:

gulp

Finally, for future development just gulp, Commit and Push. 😋✌️

vzool avatar Feb 08 '23 09:02 vzool

We also need to add Nonce-based strict CSP or Hash-based strict CSP. As Passky Website is client side only, we would need to use Hash-based strict CSP.

https://web.dev/strict-csp/

zigazajc007 avatar Feb 08 '23 10:02 zigazajc007

CSP is already provided in _headers file and it is not recommended to use CSP inside HTML. It should be provided by Nginx / Apache (Web Server)

zigazajc007 avatar Feb 08 '23 13:02 zigazajc007

CSP is already provided in _headers file and it is not recommended to use CSP inside HTML. It should be provided by Nginx / Apache (Web Server)

I think if it does provide on both sides it will be better, so zero trust means every party must always verify. 🤗

vzool avatar Feb 08 '23 17:02 vzool

CSP is already provided in _headers file and it is not recommended to use CSP inside HTML. It should be provided by Nginx / Apache (Web Server)

I think if it does provide on both sides it will be better, so zero trust means every party must always verify. hugs

Would need to check / make a research about the disadvantages on providing CSP in both ways.

zigazajc007 avatar Feb 08 '23 21:02 zigazajc007

Would need to check / make a research about the disadvantages on providing CSP in both ways.

Of course there is one issue which is an advantage also, website will no longer work with HTTP when access a deployment on LAN (http://192.168.x.x), and that's an excellent thing. So, the solution is by providing Self-Singed certificate which is better than a plain-text and access LAN deployment by (https://192.168.x.x). 🤗 Even, all browser will just give certificate error with the option to ignore and continue surving the website. 😋✌️

vzool avatar Feb 09 '23 02:02 vzool

We also need to add Nonce-based strict CSP or Hash-based strict CSP. As Passky Website is client side only, we would need to use Hash-based strict CSP.

https://web.dev/strict-csp/

Done 😋✌️

vzool avatar Feb 09 '23 07:02 vzool

Now if you try to inject any code like:

let script = document.createElement("script");
script.innerHTML = "alert('YOU HAVE BEEN HACKED');";
document.body.appendChild(script);

It will not allow you to do that anymore, this is too delicious. 😋✌️

Screenshot 1444-07-18 at 11 24 00 AM

vzool avatar Feb 09 '23 08:02 vzool

This is the current status 🙈

Screenshot 1444-07-18 at 11 26 56 AM

vzool avatar Feb 09 '23 08:02 vzool

Would need to check / make a research about the disadvantages on providing CSP in both ways.

Of course there is one issue which is an advantage also, website will no longer work with HTTP when access a deployment on LAN (http://192.168.x.x), and that's an excellent thing. So, the solution is by providing Self-Singed certificate which is better than a plain-text and access LAN deployment by (https://192.168.x.x). hugs Even, all browser will just give certificate error with the option to ignore and continue surving the website. yumv

Sadly this won't be possible because of Umbrel and also Tor. Both Umbrel and Tor operate on HTTP.

zigazajc007 avatar Feb 09 '23 09:02 zigazajc007

Sadly this won't be possible because of Umbrel and also Tor. Both Umbrel and Tor operate on HTTP.

I'm not sure why Umbrel supposes that a LAN network is always safe, in fact, it is never safe. Any network attached to the internet it is not safe anymore. I tested Umbrel before and it is still not stable. So, I think it is fine for Passky to go with Umbrel on HTTPS and later on Tor. 🤔

vzool avatar Feb 09 '23 09:02 vzool

Sadly this won't be possible because of Umbrel and also Tor. Both Umbrel and Tor operate on HTTP.

I'm not sure why Umbrel supposes that a LAN network is always safe, in fact, it is never safe. Any network attached to the internet it is not safe anymore. I tested Umbrel before and it is still not stable. So, I think it is fine for Passky to go with Umbrel on HTTPS and later on Tor. thinking

Umbrel manage certificates on their own, so we would probably need to wait for them to add support first. LAN network is not always safe, but is a lot safer than hosting Passky Server on the internet, as everyone has access to it.

zigazajc007 avatar Feb 09 '23 09:02 zigazajc007

Umbrel manage certificates on their own, so we would probably need to wait for them to add support first. LAN network is not always safe, but is a lot safer than hosting Passky Server on the internet, as everyone has access to it.

gulp building script has been expanded to export extra resources for "insecure HTTP protocol" at the directory: Passky-Website/dist/http which can be used to build the image for Umbrel. But, dist/http directory is not tracked by git so you can type gulp to generate all the files, or just call ./publish_for_http.sh from the terminal which will transform the secure HTTPS web app to work with "insecure HTTP protocol". 😋✌️

vzool avatar Feb 12 '23 07:02 vzool

BTW, on the HTTP side integrity and CSP still works but without the need for the HTTPS channel which will not be required anymore for the transformed app on dist/http, and the original app still force HTTPS. Now, we can support the best of the two worlds. 🤗

vzool avatar Feb 12 '23 12:02 vzool