Closed tupaschoal closed 6 months ago
All modified and coverable lines are covered by tests :white_check_mark:
Comparison is base (
8c4e573
) 79.37% compared to head (6b85894
) 79.40%. Report is 11 commits behind head on main.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
@tupaschoal looks like this hash is only needed because we have a short inline script to set the window.$ variable.
Buuut, I've just tested removing that part and it looks like we no longer need that. I'm not sure if it's because of the electron migration or something else, but taking the inline script out leads to the same behavior on the tool. Then we no longer need the hash on the CSP.
@tupaschoal can you please do the same for the other windows?
My bad @araujoarthur0, I somehow thought the issue applied only to the calendar. I've done it for them all now :)
\changelog-update Message: Fix [#1044]: Introduce Content Security Policies to app's pages User: tupaschoal
Related issue
Closes #1038
Context / Background
App was giving out security warnings on the JS console when fired, up as shown here:![image](https://github.com/thamara/time-to-leave/assets/6443427/aeeb32c3-90fc-4193-9242-35b5dab7d0af)
What change is being introduced by this PR?
As far as I understood from electron documentation, the Content Security Policy (CSP) when defined prevents a malicious user from modifying/injecting stuff into our script calls. For when we have inline scripts, we could either use
unsafe-inline
, which would defeat the purpose of the CSP,nonce
or ahash
. When setting the CSP to just self, it would complain and already give the hash of the inline scripts, so I just used those hashes to not restrict it instead. If we ever change those inline scripts we'll need to update the hash, but I think that is ok.How will this be tested?
The warnings are gone, I don't really think this was a big problem for us, but at least![image](https://github.com/thamara/time-to-leave/assets/6443427/092a151b-dec0-4b76-acdf-3a22c9feb56c)