Open Prinzhorn opened 6 years ago
There are only minor changes needed to make it compatible with most CSP (unless you're deploying nonces, in which case you wouldn't include a whole third party UI anyway).
So far I'm only getting two violations:
So far I believe this is the only one https://github.com/Automattic/kue/blob/f0e6c065c70ea81dbe507d099f3e5d76728c31b0/lib/http/views/job/list.pug#L6-L9 It can easily be removed and instead the main.js just extracts the state from the URL param or some data-attribute or whatever. Or use the classes which are already used https://github.com/Automattic/kue/blob/f0e6c065c70ea81dbe507d099f3e5d76728c31b0/lib/http/public/javascripts/main.js#L61-L65
It looks like this is caused by jQuery (1.5.2, which was released in over 7 years ago), e.g. here https://github.com/Automattic/kue/blob/f0e6c065c70ea81dbe507d099f3e5d76728c31b0/lib/http/public/javascripts/jquery.min.js#L590 Kue works fine without it though. Not sure if later jQuery version are able to perform the feature detection in a different way or if you don't even need them if you don't support IE 7
For now I've added the five inline scripts (for each init call with a different state) to my CSP
'sha256-AG7f2dWSVT7PzRVOg4vdj4QJT5TWZgibLrz+8noMzBo=' 'sha256-HY4KrwsYRtScNIbuhzy+fjlt4gwD6XpPRDM+8/QhBx0=' 'sha256-X6A98cKmTrgCjr9UC735GF0rSmlk/sNZ0/wUADbbzwA=' 'sha256-pbfxrLZuFMjagsAbeuTNzfn6uHKI2KlQFEcQxfKyXqQ=' 'sha256-j9K2ZLFsAilkvwC8Vg0wT0UAL6EftbWYTwRgPZMtsi4='
There are only minor changes needed to make it compatible with most CSP (unless you're deploying nonces, in which case you wouldn't include a whole third party UI anyway).
So far I'm only getting two violations:
Remove all inline scripts
So far I believe this is the only one https://github.com/Automattic/kue/blob/f0e6c065c70ea81dbe507d099f3e5d76728c31b0/lib/http/views/job/list.pug#L6-L9 It can easily be removed and instead the main.js just extracts the state from the URL param or some data-attribute or whatever. Or use the classes which are already used https://github.com/Automattic/kue/blob/f0e6c065c70ea81dbe507d099f3e5d76728c31b0/lib/http/public/javascripts/main.js#L61-L65
Remove all inline styles
It looks like this is caused by jQuery (1.5.2, which was released in over 7 years ago), e.g. here https://github.com/Automattic/kue/blob/f0e6c065c70ea81dbe507d099f3e5d76728c31b0/lib/http/public/javascripts/jquery.min.js#L590 Kue works fine without it though. Not sure if later jQuery version are able to perform the feature detection in a different way or if you don't even need them if you don't support IE 7
Workaround
For now I've added the five inline scripts (for each init call with a different state) to my CSP