aem-boilerplate
aem-boilerplate copied to clipboard
adobe
feat: meta based csp
setting a CSP that is only transported over the wire once and then cached on the client.
manages the CSP in an easy to read JSON file
https://main--helix-project-boilerplate--adobe.hlx.live/ vs. https://meta-csp--helix-project-boilerplate--adobe.hlx.live/?rum=1
Hello, I'm Franklin Bot and I will run some test suites that validate the page speed. In case there are problems, just click the checkbox below to rerun the respective action.
- [ ] Re-run PSI Checks
![aem-code-sync[bot] avatar](https://avatars.githubusercontent.com/in/17488?v=4 "Published by a pub.dev verified publisher"){kind=small}
| Page | Scores | Audits | |
|---|---|---|---|
| / |  |
Lighthouse returned error: FAILED_DOCUMENT_REQUEST. Lighthouse was unable to reliably load the page you requested. Make sure you are testing the correct URL and that the server is properly responding to all requests. (Details: net::ERR_ACCESS_DENIED) |  |
For the record: frame-ancestors cannot be controlled via meta attribute (see https://www.w3.org/TR/CSP3/#directive-frame-ancestors), i.e. it won't work here.
And it makes sense (browser would have already started to load the iframe once the directive comes in).
Used this approach across multiple projects. Works great. I would like for this to be default in boilerplate to encourage folks to use CSP.
If someone adds something to the martech stack via a tag manager (Launch/GTM) or some iframe in the content via the Embed block, then they have to explicitly allow that in the CSP in code and create a PR which would run PSI checks against the site to ensure the new plugin is not impacting page performance. This will force better practices and ensure that it is easy to still maintain performance while also adding additional libraries to martech.
