Deltares / fews-web-oc

Delft-FEWS Web Operator Client
https://deltares.github.io/fews-web-oc/
GNU Affero General Public License v3.0
7 stars 5 forks source link

Don't rely on CSP style-src unsafe-inline #960

Open wkramer opened 2 months ago

wkramer commented 2 months ago

See: https://github.com/cssinjs/jss/blob/master/docs/csp.md for solution on Vuetify style sheets. Replace vue-slider-component with v-slider from vuetif (use next https://github.com/Deltares/fews-web-oc-components)

wkramer commented 2 months ago

Nginx instructions:

Check if your nginx install supports required modules:

nginx -V 2>&1 | tr ' ' '\n' | grep 'http_sub_module'
nginx -V 2>&1 | tr ' ' '\n' | grep 'http_ssl_module'

Standard value request_id: https://nginx.org/en/docs/http/ngx_http_core_module.html If NGX_OPENSSL the request_id is a cryptographic safe random number:
https://github.com/nginx/nginx/blob/4bf4650f2f10f7bbacfe7a33da744f18951d416d/src/http/ngx_http_variables.c#L2148

Check in current master: https://github.com/nginx/nginx/blob/master/src/http/ngx_http_variables.c

If the generate request_id has capital D's at the 9, 18, 27 and 36 position the number is only pseudo random
Bad: nonce-e8bb1abcD9ae1192bDd4c0691cDdf50a163D Good: nonce-d5ec3b35c37b715c9ef5a98d47580f3d