Closed souldanger closed 3 years ago
chenqiushi
commented
5 years ago The injected script snippet which you mentioned is used to ensure the service-worker file is always the latest version. Besides, the sw-register.js will be loaded asynchronously so that the page loading won't be blocked. Enable the source whitelist attribute script-src: 'unsafe-inline' may help you ignore the CSP errors if possible.
souldanger
commented
5 years ago Thanks! I know the snippet is necessary to start the whole process. Using 'unsafe-inline' is not a solution, but an invitation for xss attacks. What I would like to have is a simple to switch for the persons that care about a strong CSP. With the switch in _config.yml, you should be able to trurn off the file inject and add the snippet into an existing js file instead. Call it expert mode if you will. This way you can use 'script-src: 'self'; and have a strong CSP. For those who don't care, nothing should change. Its meant to be an enhancement for the experts.
rossPatton
commented
3 years ago Enable the source whitelist attribute script-src: 'unsafe-inline' may help you ignore the CSP errors if possible.
this just defeats the purpose of a CSP
souldanger
commented
3 years ago Hi Ross Here's a different approach that respects CSPs https://rubygems.org/gems/jekyll-pwa-workbox/ https://github.com/souldanger/jekyll-pwa-workbox
Hello I have done some testing with various Content-Security-Policies. The problem is the 'starter' script snippet that is injected on the bottom of each html page. Even serving this snippet with a nonce or hash still makes xss attacks possible.
The only solution to avoid 'unsafe-inline' in the CSP is to add the snippet manually to i.e. an existing js file instead of the injection. However, as 98% of admins do not pay too much attention to CSP attributes, I was wondering, if we could add a 'switch' to _config.yml, that turns off the injection of the snippet - in jekyll-pwa-plugin.rb line 132-148. What do you think??? Thanks!