misskey
misskey copied to clipboard
misskey-dev
enhance: CSPの導入
What
- CSPを導入するためにインラインスクリプトを使用していた箇所を全て別のファイルに切り分ける
- インラインイベントハンドラを全て置き換える
Content-Security-Policyヘッダを送るようにする- 設定でCSPヘッダで送る内容を指定できるようにする
Why
- XSSが存在した場合に、ある程度影響を軽減できるようにしたい
TODO
済
- Captcha関連のJavaScriptを使えるように
- できたはず
- 他にdocument.createElementでscriptタグを生成している箇所がないか洗い出し
- MkTagCloud:
/client-assets/tagcanvas.min.jsを読み込んでいるだけなので問題無さそうに見える
- MkTagCloud:
- 他にインラインイベントハンドラを使っている箇所がないか確認
[^\w\-/]on\w+=で探したが無さそう
- report-onlyで一通り機能を使ってみて何か発生するか確認
- test.patchを適用
- ノートの投稿
- Renote
- 引用
- リプライ
- YouTubeの埋め込み
- URLのプレビュー
- ローカルタイムラインの表示
- ホームタイムラインの表示
- ソーシャルタイムラインの表示
- 各種MFM
- ウィジェット
- プロフィール
- インスタンス情報
- クリッカー
- ユーザーリスト
- 藍
- AiScript App
- AiScriptコンソール
- ボタン
- ジョブキュー
- オンラインユーザー
- サーバーメトリクス
- スライドショー
- 投稿フォーム
- インスタンスクラウド
- 連合
- UNIX時計
- デジタル時計
- フォト
- アクティビティ
- 時計
- トレンド
- RSSティッカー
- RSSリーダー
- カレンダー
- タイムライン
- 通知
- 付箋
- グローバルタイムライン
- 通知
- 全て
- 未読
- あなた宛て
- ダイレクト投稿
- ノートお気に入り
- お気に入りタブ
- ファイルアップロード
- 画像添付ノート
- アンケート添付ノート
- 注釈付きノート
- メンション付きノート
- 絵文字を入れたノート
- 動画添付ノート
- ドライブタブ
- 名前を変更
- 閲覧注意にする
- キャプションを付ける
- URLをコピー
- ダウンロード
- 削除
- 見つけるタブ
- ハイライト
- ノート
- アンケート
- ユーザー
- ローカル
- リモート
- 検索
- 全て
- ローカル
- リモート
- ハイライト
- お知らせタブ
- 画像付き
- わかったボタン
- 検索タブ
- UI切り替え
- デフォルト
- デッキ
- カラムの追加
- メイン
- ウィジェット
- 通知
- タイムライン
- アンテナ
- リスト
- チャンネル
- あなた宛て
- ダイレクト
- カラムの追加
- クラシック
- コントロールパネル
- ダッシュボード
- 照会
- ユーザー
- ノート (TODOと出る)
- ファイル (TODOと出る)
- インスタンス (TODOと出る)
- ユーザー
- 照会
- ユーザーを追加
- ロール
- ロールの作成
- ベースロール
- ユーザーアサイン/解除
- 編集
- 削除
- ベースロール
- トグルボタン
- スクロールバー
- 数値
- カスタム絵文字
- ファイルをアップロード
- ファイルをドライブから選択
- URLから
- エクスポート
- インポート
- リモート
- 連合
- ジョブキュー
- ファイル
- お知らせ
- 広告
- 通報
- 全般
- メールサーバー
- オブジェクトストレージ
- セキュリティ
- Botプロテクション
- hCaptchaプレビュー
- reCAPTCHAプレビュー
- Turnstileプレビュー
- センシティブなメディアの検出
- Active Email Validation
- Log IP address
- Summaly Proxy
- Botプロテクション
- リレー
- インスタンスブロック
- プロキシアカウント
- データベース
- チャット
- メッセージ送信
- 画像送信
- リスト
- 作成
- ユーザー追加
- 名前を変更
- 削除
- アンテナ
- 作成
- 更新
- 削除
- ページ
- ページ設定
- 作成
- アイキャッチ画像
- コンテンツ
- テキスト
- セクション
- 画像
- ノート埋め込み
- ページ表示
- Misskey Play
- 人気
- 自分のPlay
- いいねしたPlay
- 作成
- 実行
- ギャラリー
- ギャラリー
- いいねした投稿
- 自分の投稿
- 投稿作成
- 編集
- 削除
- 共有
- ノート
- クリップ
- 作成
- 削除
- チャンネル
- トレンド
- フォロー中
- 管理中
- 実績
- リロードボタン
- ページ設定
- 設定
- プロフィール
- プライバシー
- リアクション
- ドライブ
- 通知
- メール
- セキュリティ
- 全般
- カスタムCSS
- デッキ
- テーマ
- ナビゲーションバー
- ステータスバー
- プラグイン
- インポートとエクスポート
- インスタンスミュート
- ミュートとブロック
- ワードミュート
- API
- API console
- Webhook
- その他
- アカウント情報
- レジストリ
- 設定のバックアップ
- キャッシュをクリア
- ログアウト
- cli
- flush
- テスト結果
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/explore","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/announcements","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/announcements","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/search?q=test","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/emojis","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/emojis","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/emojis","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/abuses","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/@test2","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/relays","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/other-settings","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/my/messaging","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/test2","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/@test2","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/@test2","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/pages/new","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/gallery/9b3czu4smz","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/abuses","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/my/achievements","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/custom-css","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/theme","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/navbar","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/theme","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/statusbar","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/preferences-backups","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/preferences-backups","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/preferences-backups","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
- worker-srcにblob:を追加: https://github.com/catdad/canvas-confetti/blob/57281ace0da693a7079cf3b9f2d0d8e3b1db30b6/src/confetti.js#L154
- nonceを送信するように (CDNによっては動的にCSPヘッダをパースしてscriptタグに付与する場合があるため)
備考
- hCaptchaのCSPについて: https://docs.hcaptcha.com/#content-security-policy-settings
- TurnstileのCSPについて: https://developers.cloudflare.com/turnstile/frequently-asked-questions/#how-does-content-security-policy-need-to-be-configured-for-turnstile
- reCAPTCHAのCSPについて: https://developers.google.com/recaptcha/docs/faq#im-using-content-security-policy-csp-on-my-website.-how-can-i-configure-it-to-work-with-recaptcha
テスト
- base確認
- note確認
- cli確認
- flush確認
- reCAPTCHA v2
- reCAPTCHA v3
- hCaptcha
- Turnstile
- MkTagCloud
- エラー発生時のリロードボタン
Additional info (optional)
Closes #9848
vuedraggableが一箇所だけminify後にnew Functionを使用しているため、やむを得ず'unsafe-eval'を追加。 unsafeとついてはいるものの、eval()やFunction()等に直接ユーザー入力を渡していない限りは問題ない。
メモ: globalThis の polyfill で使ってるだけっぽそうなので fork してビルドし直せば FunctionConstructor 消せそう
https://github.com/webpack/webpack/blob/c181294865dca01b28e6e316636fef5f2aad4eb6/lib/runtime/GlobalRuntimeModule.js#L29
これを読んだ限りではCSPが有効化されていた場合の例外処理もされていそう?なので実はunsafe-evalいらないかもしれない
これを読んだ限りではCSPが有効化されていた場合の例外処理もされていそう?なので実はunsafe-evalいらないかもしれない
多分 unsafe-eval 外しても問題ないと思います(なんなら Content-Security-Policy と Content-Security-Policy-Report-Only を一旦併用して雑に洗い出しても良いかも)
多分 unsafe-eval 外しても問題ないと思います(なんなら Content-Security-Policy と Content-Security-Policy-Report-Only を一旦併用して雑に洗い出しても良いかも)
明日試してみます!
misskey.ioの村上さんにお願いしてCSP関連のログをご提供いただけることになったので、一旦Content-Security-Policy-Report-Onlyのみをmisskey.ioで有効化してログを確認した上で、改めてContent-Security-Policyを有効化する方向にしようと思います!
@tamaina 現状忙しくて手を付けられていないんですが、TODOの部分を実装しないと一部機能が動かなくなること、実装後に追加でテストを行う必要があるため、それらが完了するまでDraftは外せない形になります (引き継いでくださる方がいらっしゃるようであればお願いしたい状態ではありますが、時間が確保でき次第作業を再開するつもりです)