Use "unsafe-wasm-eval" instead of "unsafe-eval" in script-src CSP #20606
Conversation
|
Thanks. I think you changed the wrong |
|
Please explain what you are doing and why |
|
In the CSP we are replacing the recently added |
D'oh! Fixed in last push. |
|
Wait, is it actually supposed to be double-quoted like that? |
| @@ -36,7 +36,7 @@ def host_to_url(str) | |||
| p.worker_src :self, :blob, assets_host | |||
| else | |||
| p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url | |||
| p.script_src :self, assets_host, :unsafe_eval | |||
| p.script_src :self, assets_host, "'unsafe-wasm-eval'" | |||
There was a problem hiding this comment.
Wait, according to the issue discussion, it's wasm-unsafe-eval, not unsafe-wasm-eval. Which is it?
Yes those double quotes are intentional, though I couldn't tell you why. See the diffs in the issue, single quoting didn't work for me but double quoting did. And I'm pretty sure I have the correct directive, also see the issue. "unsafe-wasm-eval" doesn't produce CSP errors from the browser. |
|
There are no search results for "unsafe-wasm-eval" but there are Google/Firefox pages referencing "wasm-unsafe-eval", also the person who told you about the quotes used "wasm-unsafe-eval" in their code snippet. |
|
You're right, it should be |
…stodon#20606) * Add "unsafe-eval" to script-src CSP * Use 'unsafe-wasm-eval' instead of 'unsafe-eval'
… CSP (mastodon#20606)" This reverts commit b46b7c3.
…ript-src CSP (mastodon#20606)"" This reverts commit 999011e.
(Thanks @felixdoerre)