search

jimmywarting / StreamSaver.js

StreamSaver writes stream to the filesystem directly asynchronous
https://jimmywarting.github.io/StreamSaver.js/example.html
MIT License
3.97k stars 413 forks source link

CSP error on script-src: self #156

Open gewoonjerry opened 4 years ago

gewoonjerry commented 4 years ago

Since the script for mitm is in the html itself, our CSP throws an error when configuring script-src to self. We have implemented a workaround by adding the script hash to the CSP. The downside of this is that it prevents a simple update of the streamsaver package in our project, because it will change the hash when the script changes. My suggestion is placing the mitm.html script in a seperate js file, so package updates won't affect the CSP rules.

jimmywarting commented 4 years ago

you mean like this:

<!-- mitm.html -->
<script src="mitm.js"></script>

?

gewoonjerry commented 4 years ago

Exactly. This way the CSP rule of 'script-src self' isn't violated.

jimmywarting commented 4 years ago

Can i still change the html as i like then (as long as i don't add any other inline script)? thinking maybe i want to keep updating a own integrity check every time mitm.js changes

<!-- mitm.html -->
<script src="mitm.js" integrity="sha1-xxxx"></script>
jimmywarting commented 4 years ago

also wondering about the race condition of when a postmessage can be sent... The mitm.js script must have registered a window.onmessage event handler before the mitmIframe.onload triggers inside streamsaver.js

gewoonjerry commented 4 years ago

Can i still change the html as i like then (as long as i don't add any other inline script)? thinking maybe i want to keep updating a own integrity check every time mitm.js changes

<!-- mitm.html -->
<script src="mitm.js" integrity="sha1-xxxx"></script>

Yeah that won't be any problem. Unless you also want to add styles for some reason, then a separate css file would also be advised since the style-src self CSP will otherwise be violated ;)

also wondering about the race condition of when a postmessage can be sent... The mitm.js script must have registered a window.onmessage event handler before the mitmIframe.onload triggers inside streamsaver.js

I'm not 100% sure, but i think that won't be an issue. Although i think it will be better to place it in the head tag. In my recollection this blocks the html parsing until the external script is loaded.

jimmywarting commented 4 years ago

inline css 🤣 the mitm is a hidden iframe

Think i read/understood that document.body.onload will trigger when the hole DOM have been parsed and window.onload will trigger when all resources have loaded.

guess iframe.onload corresponds to window.onload...