search

estuary / ui

A web based UI to assist in working with Estuary Flow
https://dashboard.estuary.dev/
Other
12 stars 1 forks source link

Add `Trusted Types` and other security related headers to the UI #1344

Open travjenkins opened 3 weeks ago

travjenkins commented 3 weeks ago

The lists are NOT exhaustive. Only what we or Csper.io discovered.

Trusted Types

We should be really safe and start working on getting the UI to work with Trusted Types

Not 100% sure how we'll handle this yet - but we should try to make slow and steady progress.

Apache eCharts

Tooltip writes to the DOM image

Stripe

TMLScriptElement src|https://js.stripe.com/v3 HTMLScriptElement src|https://js.stripe.com/v3/fingerprinted/j

LogRocket

This one is weird cause we have it marked in the script-src HTMLScriptElement src|https://cdn.logr-ingest.com/logger-1.min

GTM

HTMLScriptElement src|https://www.googletagmanager.com/gtm.js?

Monaco

Worker constructor|/static/editor.worker-e9368882.js Worker constructor|/static/json.worker-3dd12af9.js

UNKNOWNS

Given the code around it I think this is Apache eCharts image

Cross Origin Opener

We have the header in place but Chrome is still complaining about this. Not 100% sure what it is complaining about

...
add_header Permissions-Policy "geolocation=(), microphone=(), camera=() always";
add_header Cross-Origin-Opener-Policy same-origin-allow-popups always;
add_header Content-Security-Policy "
...

OAuth Providers

Opening the pop up and communicating complains image