Re: CSP regression
Hello All, Recently found limitation of current CSP implementation [1] Note: connect-src 'self' does not resolve to websocket schemas in all browsers, more info: https://github.com/w3c/webappsec-csp/issues/7 I believe this should be addressed or at least documented (Seems to fail in Safari only) I'm going to workaround this in our source code [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src On Wed, 25 Mar 2020 at 18:07, Maxim Solodovnik wrote: > Hello All, > > it seem it was false alarm > sorry for the noise :( > > On Tue, 24 Mar 2020 at 15:19, Maxim Solodovnik > wrote: > >> Hmmm, >> >> I'll check. >> The errors are definitely in DevTools (I'm using report-only CSP) >> Not sure if it is first or second time >> Will double-check and report back >> >> On Tue, 24 Mar 2020 at 15:17, Emond Papegaaij >> wrote: >> > >> > Hi Maxim, >> > >> > Are you sure? I just tried the examples and CSS resources do have >> > nonces. Maybe you're seeing the same errors as I when opening the dev >> > tools? Somehow Chrome is unable to load the css resources in the dev >> > tools when the dev tools are opened after loading the page. After a >> > refresh, it's fine again. >> > >> > Emond >> > >> > On Tue, Mar 24, 2020 at 8:53 AM Maxim Solodovnik >> wrote: >> > > >> > > Hello All, >> > > >> > > just found regression with CSP >> > > nonce for CSS resources seems to be not added, which results security >> errors >> > > Can it be caused by latest code optimizations? >> > > >> > > -- >> > > WBR >> > > Maxim aka solomax >> >> >> >> -- >> WBR >> Maxim aka solomax >> > > > -- > WBR > Maxim aka solomax > -- Best regards, Maxim
Re: CSP regression
Hello All, it seem it was false alarm sorry for the noise :( On Tue, 24 Mar 2020 at 15:19, Maxim Solodovnik wrote: > Hmmm, > > I'll check. > The errors are definitely in DevTools (I'm using report-only CSP) > Not sure if it is first or second time > Will double-check and report back > > On Tue, 24 Mar 2020 at 15:17, Emond Papegaaij > wrote: > > > > Hi Maxim, > > > > Are you sure? I just tried the examples and CSS resources do have > > nonces. Maybe you're seeing the same errors as I when opening the dev > > tools? Somehow Chrome is unable to load the css resources in the dev > > tools when the dev tools are opened after loading the page. After a > > refresh, it's fine again. > > > > Emond > > > > On Tue, Mar 24, 2020 at 8:53 AM Maxim Solodovnik > wrote: > > > > > > Hello All, > > > > > > just found regression with CSP > > > nonce for CSS resources seems to be not added, which results security > errors > > > Can it be caused by latest code optimizations? > > > > > > -- > > > WBR > > > Maxim aka solomax > > > > -- > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
Re: CSP regression
Hmmm, I'll check. The errors are definitely in DevTools (I'm using report-only CSP) Not sure if it is first or second time Will double-check and report back On Tue, 24 Mar 2020 at 15:17, Emond Papegaaij wrote: > > Hi Maxim, > > Are you sure? I just tried the examples and CSS resources do have > nonces. Maybe you're seeing the same errors as I when opening the dev > tools? Somehow Chrome is unable to load the css resources in the dev > tools when the dev tools are opened after loading the page. After a > refresh, it's fine again. > > Emond > > On Tue, Mar 24, 2020 at 8:53 AM Maxim Solodovnik wrote: > > > > Hello All, > > > > just found regression with CSP > > nonce for CSS resources seems to be not added, which results security errors > > Can it be caused by latest code optimizations? > > > > -- > > WBR > > Maxim aka solomax -- WBR Maxim aka solomax
Re: CSP regression
Hi Maxim, Are you sure? I just tried the examples and CSS resources do have nonces. Maybe you're seeing the same errors as I when opening the dev tools? Somehow Chrome is unable to load the css resources in the dev tools when the dev tools are opened after loading the page. After a refresh, it's fine again. Emond On Tue, Mar 24, 2020 at 8:53 AM Maxim Solodovnik wrote: > > Hello All, > > just found regression with CSP > nonce for CSS resources seems to be not added, which results security errors > Can it be caused by latest code optimizations? > > -- > WBR > Maxim aka solomax