search

veliovgroup / flow-router

🚦 Carefully extended flow-router for Meteor
https://packosphere.com/ostrio/flow-router-extra
BSD 3-Clause "New" or "Revised" License
202 stars 29 forks source link

ostrio:flow-router-extra not compatible with Meteor's recommended Content Security Policy header #83

Closed cormip closed 3 years ago

cormip commented 3 years ago

Meteor 1.11.1's recommended Content Security Policy header is as follows:

content-security-policy: default-src 'self';script-src 'self' 'unsafe-inline';connect-src *;img-src 'self';style-src 'self' 'unsafe-inline'

When enabling this header, ostrio:flow-router-extra v3.7.5 throws the following console error, and the site does not properly load:

[ostrio:flow-router-extra] [route.wait] Promise not resolved EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

    at eval (<anonymous>)
    at dynamic-import.js?hash=0f2311c136f044e1f30b6366b6439a5716941499:134
    at fileEvaluate (modules-runtime.js?hash=23fe92393aa44a7b01bb53a510a9cab5fb43037c:346)
    at Module.require (modules-runtime.js?hash=23fe92393aa44a7b01bb53a510a9cab5fb43037c:248)
    at Module.moduleLink [as link] (modules.js?hash=ce94eff1dd3be3f1b26dded727f641fe089d88f8:351)
    at getNamespace (dynamic-import.js?hash=0f2311c136f044e1f30b6366b6439a5716941499:187)
    at dynamic-import.js?hash=0f2311c136f044e1f30b6366b6439a5716941499:40
    at meteor.js?hash=857dafb4b9dff17e29ed8498a22ea5b1a3d6b41d:1234

How do we resolve this?

coagmano commented 3 years ago

That's an issue with the Guide. Meteor's dynamic imports use eval to load modules that have been fetched from the server, and so must be allowed in CSP for import() to work.

Further, flow-router-extra doesn't directly call import() anywhere, so as long as you aren't using dynamic import in your routes, it will work fine with the current recommended CSP.

dr-dimitru commented 3 years ago

@cormip

  1. Is content-security-policy under your control?
  2. Can you add unsafe-eval to script-src 'self' rule?
cormip commented 3 years ago

Yes, adding the "unsafe-eval" directive solves the issue. However, I'll need to make another pass through the app to make sure that all the user text inputs are properly "sanitized".

dr-dimitru commented 3 years ago

@cormip I'm glad this issue was quickly solved. Check hooks in FilesCollection API, there are planty of ways to check and sanitize user selected files.

Please support this project with: