-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Library is breaking if I don't use 'unsafe-inline' in CSP #313
Comments
Hi @rishabh-jain389 - a few questions:
I would imagine it would be impossible to add CSP support to V1 without a breaking change. Likewise it may be impossible to do the same in V2 as the Thanks- |
That appears to be in a part of F2 v1 that included the easyXDM library. That was removed entirely in v2 of F2. v1 had some alternative builds that didn't include certain components depending on how F2 was being used. Those are called out over here https://github.com/OpenF2/F2/wiki/F2-Packages If that doesn't help, then I think you'll need to look at migrating to v2. |
Thanks, Brian for the information, Please confirm that v2 is compatible with React 16 and Angular 12? |
F2 is itself framework agnostic. F2 v1 had things like jQuery, jQuery UI, easyXDM bundled inside of it (in a closure) where as v2 drops all of those things and uses vanilla javascript where possible. v2 is considerably smaller than v1 and removed the things that were more than likely not used out of v1. |
Hi @brianbaker , no-bootstrap.js Please confirm if these libraries are error-free. Thanks |
As it states on the [https://github.com/OpenF2/F2/wiki/F2-Packages](Packages wiki):
So the use of the packages depends on what you already have on the page. Using I think you're probably looking for something that can't happen. F2 v1 was developed in a time when the Content Security Policy was really just getting started. The "new" browsers at the time like Firefox or Chrome supported parts of it but IE certainly did not. (We were still supporting IE 8 back then) I just don't think F2 v1 (or maybe even v2) is fundamentally compatible with CSP, especially given that how tight you lock down the page can vary from page to page. You will have to make concessions in your policies. |
Hi @brianbaker , We have migration problems from V1.4.5 to V2. Do you have any proper migration docs or valid examples for V2? This page has insufficient documentation https://openf2.github.io/F2/migrating-to-v2.html. Thank! |
I think we would need an example or some code snippets of what you have implemented. It sounds like you need your app to run in an iframe because its javascript/css/etc. conflict with the parent page and not because of security purposes. The "Secure Apps" that were in V1 were there as a security feature - if a container developer/owner wanted to ensure that an app developer didn't have some kind of access to the parent page. From a framework perspective, there was no difference when apps were running inside of an iframe or not. |
Hi @brianbaker! In v.1.4.5 we have good parsing of our app inside iframe In v2.0.0 rendering doesn't happen due to missing our inside our parent |
Hi @brianbaker , Have you checked the code snippets shared by Dmytro? Please provide your suggestion. Thanks |
Hi Team,
We are using open-f2 to build micro front-end apps for our customers. Recently we had Penetration testing for the security of the app and the security team found that we are using 'unsafe-inline' CSP which is unsafe for the security of the security purpose. If we remove 'unsafe-inline' then open-f2 logging error on the console.
According to the security Team,
• script-src 'unsafe-inline' - Inline JavaScript code, commonly used in XSS attacks, is
allowed.
• script-src 'unsafe-eval' - Potentially dangerous JavaScript functions, such as eval(),
Function(), and setTimeout() are allowed.
Remediation they have provided
• we recommend redefining a more secure content security policy for the
application as part of a defense-in-depth strategy.
• Where possible, depreciate and remove all inline JavaScript code and use of 'data:' URIs.
• Update the application's 'Content-Security-Policy' directives to reflect this change by
removing these values.
• Establish a restrictive 'default-src' using "Content-Security-Policy: default-src 'self'" and then
open it up only where needed using the content-specific directives (e.g. script-src, objectsrc).
See the below error in the console
Please update library 1.4.5 by removing or updating unsafe inlines.
Libraray Version : 1.4.5
React Version : 16
The text was updated successfully, but these errors were encountered: