Good morning all!
Due to pagure's new default content security policy src.fp.o users are getting a csp-error since the ui is trying to fetch a js file from apps.fp.o and the policy denies it.
We need a configuration change on src.fp.o to modify the csp policy on src{.stg}.fp.o instances to allow clients to fetch js files from apps.fp.o
I opened an issue on the tracker[0], but since we are on freeze now here goes the same patch for a FBR.
Regards,
[0]: https://pagure.io/fedora-infrastructure/issue/8121
On Wed, Aug 28, 2019 at 01:08:01PM +0200, Julen Landa Alustiza wrote:
Good morning all!
Due to pagure's new default content security policy src.fp.o users are getting a csp-error since the ui is trying to fetch a js file from apps.fp.o and the policy denies it.
We need a configuration change on src.fp.o to modify the csp policy on src{.stg}.fp.o instances to allow clients to fetch js files from apps.fp.o
I opened an issue on the tracker[0], but since we are on freeze now here goes the same patch for a FBR.
Regards,
[0]: https://pagure.io/fedora-infrastructure/issue/8121
Julen Landa Alustiza
From 2fb07c8164aa48330449b7b7ff917155d50210ea Mon Sep 17 00:00:00 2001 From: Julen Landa Alustiza jlanda@fedoraproject.org Date: Wed, 21 Aug 2019 16:59:26 +0200 Subject: [PATCH] dist-git: Custom csp policy that allows connecting to apps.fp.o
roles/distgit/pagure/templates/pagure.cfg | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/roles/distgit/pagure/templates/pagure.cfg b/roles/distgit/pagure/templates/pagure.cfg index f3dd2c466..0aa7c7764 100644 --- a/roles/distgit/pagure/templates/pagure.cfg +++ b/roles/distgit/pagure/templates/pagure.cfg @@ -296,4 +296,13 @@ PROJECT_NAME_REGEX = '^[a-zA-z0-9_][a-zA-Z0-9-_.+]*$'
HTTP_REPO_ACCESS_GITOLITE = None
+CSP_HEADERS = (
- "default-src 'self';"
- "script-src 'self' '{nonce_script}' https://apps.fedoraproject.org; "
- "style-src 'self' '{nonce_style}'; "
- "object-src 'none';"
- "base-uri 'self';"
- "img-src 'self' https:;"
+)
{% include "pagure_shared.cfg" %}
+1 for me
Happy to apply and run the playbook for it once we have another +1 :)
For the existing CSP policy: curl -I https://src.fedoraproject.org/rpms/fedocal
Thanks Julen, Pierre
On Wed, 28 Aug 2019 at 13:15, Julen Landa Alustiza jlanda@fedoraproject.org wrote:
Good morning all!
Due to pagure's new default content security policy src.fp.o users are getting a csp-error since the ui is trying to fetch a js file from apps.fp.o and the policy denies it.
We need a configuration change on src.fp.o to modify the csp policy on src{.stg}.fp.o instances to allow clients to fetch js files from apps.fp.o
I opened an issue on the tracker[0], but since we are on freeze now here goes the same patch for a FBR.
+1 it looks easy enough to rollback in case we need to :-)
Regards,
[0]: https://pagure.io/fedora-infrastructure/issue/8121
Julen Landa Alustiza _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
On Wed, Aug 28, 2019 at 01:24:42PM +0200, Clement Verna wrote:
On Wed, 28 Aug 2019 at 13:15, Julen Landa Alustiza <[1]jlanda@fedoraproject.org> wrote:
Good morning all! Due to pagure's new default content security policy src.fp.o users are getting a csp-error since the ui is trying to fetch a js file from apps.fp.o and the policy denies it. We need a configuration change on src.fp.o to modify the csp policy on src{.stg}.fp.o instances to allow clients to fetch js files from apps.fp.o I opened an issue on the tracker[0], but since we are on freeze now here goes the same patch for a FBR.
+1 it looks easy enough to rollback in case we need to :-)
Thanks!
Applied on git and on the servers :)
Pierre
infrastructure@lists.fedoraproject.org