blurts-server icon indicating copy to clipboard operation
blurts-server copied to clipboard
verified publisher icon mozilla

Set CSP for worker-src

Open flozia opened this issue 2 years ago • 2 comments

References:

Jira: MNTOR-2616: Celebration screen animation not triggered on Firefox

Description

If supported, the confetti animation is rendered by a web worker: For Firefox we need to set the CSP for worker-src.

flozia avatar Dec 05 '23 11:12 flozia

Oh heh, have you been able to verify that this is enough to fix it? I'm a bit surprised we don't need to pass in a nonce or add the worker's hash to the headers.

At least locally I have been able to verify that this fixes the issue. Also curious what @rhelmer thinks about adding this rule.

flozia avatar Dec 05 '23 16:12 flozia

Hm yeah I think this works but I don't think it's very safe unfortunately, per https://www.w3.org/TR/CSP2/#source-list-guid-matching

As defined above, special URL schemes that refer to specific pieces of unique content, such as "data:", "blob:" and "filesystem:" are excluded from matching a policy of * and must be explicitly listed. Policy authors should note that the content of such URLs is often derived from a response body or execution in a Document context, which may be unsafe. Especially for the default-src and script-src directives, policy authors should be aware that allowing "data:" URLs is equivalent to unsafe-inline and allowing "blob:" or "filesystem:" URLs is equivalent to unsafe-eval.

Is it possible to load this worker via an HTTPS URL instead of blob:? If not then I'd consider nonce or hash, but loading from URL is probably the simplest if that's possible.

rhelmer avatar Dec 05 '23 18:12 rhelmer

@flozia are you still working on this one?

rhelmer avatar Jul 31 '24 20:07 rhelmer

@flozia are you still working on this one?

@rhelmer Yes, I’ll pick this one up again together with MNTOR-2616 this week.

flozia avatar Aug 01 '24 10:08 flozia

Is it possible to load this worker via an HTTPS URL instead of blob:? If not then I'd consider nonce or hash, but loading from URL is probably the simplest if that's possible.

@rhelmer There is currently no other way to load the worker other than using blob: — I suggest we do without the worker for now

flozia avatar Aug 20 '24 14:08 flozia

Preview URL :rocket: : https://blurts-server-pr-3838-mgjlpikfea-uk.a.run.app

github-actions[bot] avatar Aug 20 '24 14:08 github-actions[bot]

Cleanup completed - database 'blurts-server-pr-3838' destroyed, cloud run service 'blurts-server-pr-3838' destroyed

github-actions[bot] avatar Aug 21 '24 10:08 github-actions[bot]