ambuda icon indicating copy to clipboard operation
ambuda copied to clipboard

Published 20 hours ago verified publisher icon ambuda-org

Re-add CSP, use flask-talisman

Open epicfaace opened this issue 2 years ago • 3 comments

  • Re-add CSP, set unsafe-inline for CSS and unsafe-eval for JS to ensure the proofer functionality still works
  • Use flask-talisman to set CSP. This also sets a bunch of other best-practice security defaults like HSTS, etc. -- see https://github.com/GoogleCloudPlatform/flask-talisman

epicfaace avatar Aug 25 '22 20:08 epicfaace

Just to check, have you already looked through the docs here?

https://alpinejs.dev/advanced/csp

akprasad avatar Aug 29 '22 20:08 akprasad

Just to check, have you already looked through the docs here?

https://alpinejs.dev/advanced/csp

Yes, I tried this, though 1) alpinejs-csp is not available through the cdn and you need to bundle it locally, and 2) when I did that, and did what the docs suggested around x-data, I still faced some other issues -- which I haven't resolved yet. Happy to push that branch up though.

epicfaace avatar Aug 30 '22 13:08 epicfaace

Cool, overall SGTM.

Before merge, let's resolve the outstanding conflicts. I also removed the Server API so let's just use ordinary fetches instead.

akprasad avatar Aug 30 '22 16:08 akprasad