search

laravel / horizon

Dashboard and code-driven configuration for Laravel queues.
https://laravel.com/docs/horizon
MIT License
3.86k stars 657 forks source link

Horizon Dashboard does not work with strict content security policy #1018

Closed Grldk closed 3 years ago

Grldk commented 3 years ago

Description:

Apparently the Horizon dashboard uses eval, which makes it unusable for us in production. I'm not in a position to disable the CSP for security reasons. And I'm not familiar with Vue, so I'm not sure how to solve this.

Apart from this it also loads an external font from google fonts which is blocked, but I don't think this breaks functionality. Making layout.blade.php publishable and editable would enable us to fix/work around this.

Steps To Reproduce:

Set a CSP which excludes the use of unsafe-eval and external style sources, observe the dashboard not loading and producing errors in the javascript console:

Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.googleapis.com/css?family=Nunito (“style-src”). Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).

driesvints commented 3 years ago

Apparently the Horizon dashboard uses eval

Hmm, I can't find that. Can you point out where exactly?

google fonts which is blocked

It falls back to the default sans-serif font so this isn't that much of an issue I think.

I don't think we're going to take action here since nothing really is broken. Sorry

Grldk commented 3 years ago

@driesvints

This has been reported before (should have added that, I'm sorry) see https://github.com/laravel/horizon/issues/576

Vue seems to use eval in some cases. I'm not familiar with Vue, so I'm not sure what the best solution to this is. https://forum.vuejs.org/t/csp-problem-with-eval/17581 Seems to suggest using the vue runtime build fixes this. https://github.com/laravel/horizon/issues/576 implies this issue has been introduced into horizon with version 3 and could be fixed in another way, but having never done anything with Vue I'm not sure.

I would say that this is unwanted and should be considered a bug, as setting a strict CSP seems to be more and more common, but that's just my perspective.

In our production environment the CSP headers are set by the webserver, and I'm not in a position to change them for horizon.

driesvints commented 3 years ago

If you can send in a non-breaking pr we could consider it maybe.

Grldk commented 3 years ago

I'll try freeing up some time in the coming week to take a stab at it. Would you consider reopening this so someone with experience with Vue might try to fix this?

driesvints commented 3 years ago

No sorry. Just send in a pr if you're willing.