lift-ng icon indicating copy to clipboard operation
lift-ng copied to clipboard

Published 20 hours ago verified publisher icon joescii

Security Rules

Open colinbes opened this issue 8 years ago • 2 comments

Finally getting to upgrade to Lift 3 (yay).

I am getting script-src content security warning due to lift-ng inserting js into page (inserting service calls) amongst others, eg

<script type="text/javascript">
  // <![CDATA[
  angular.module("bc.services",["lift-ng"]).factory("deviceService",["liftProxy", function(liftProxy{
  return {"getUsageTo": function(json) {return ...
);
// ]]>
</script>

Any suggestions or do I need to set script-src policy using LiftRules.securityRules as below?

scriptSources = List(
  ContentSourceRestriction.UnsafeEval,
      ContentSourceRestriction.UnsafeInline,
      ContentSourceRestriction.Self
   )

colinbes avatar Oct 11 '17 18:10 colinbes

Hey Colin! This one slipped off my radar. Did you get CSP configured for your needs? One of these days I hope to refactor lift-ng to not need this tweaking.

joescii avatar Jan 12 '18 14:01 joescii

No problem. For now I have just set security policies via lift rules and also enabled extractInlineJavaScript. Not ideal (I think) but allows me to continue.

LiftRules.securityRules = () => {
  SecurityRules(content = Some(ContentSecurityPolicy(
    styleSources = List(
      ContentSourceRestriction.UnsafeInline,
      ContentSourceRestriction.All
    ),
    connectSources = List(
        ContentSourceRestriction.All
    ),
    scriptSources = List(
      ContentSourceRestriction.UnsafeEval,
      ContentSourceRestriction.UnsafeInline,
      ContentSourceRestriction.Self
    ),
    imageSources = List(
        ContentSourceRestriction.UnsafeInline,
        ContentSourceRestriction.Self
    )        
  )))
} 

LiftRules.extractInlineJavaScript = true

colinbes avatar Jan 12 '18 16:01 colinbes