Skip to content

Add CSP #7990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 22 commits into from
Closed

Add CSP #7990

wants to merge 22 commits into from

Conversation

maxammann
Copy link
Contributor

@maxammann maxammann commented Aug 6, 2025
edited
Loading 

    1. By default, only allow scripts from the same origin.
    2. Allow inline styles and styles from the same origin. This is how we use CSS rightnow.
    3. Allow images from any source and inline images. We fetch user profile images from any origin.
    4. Allow scripts from the same origin and from Plausible Analytics. Allow WASM execution.
    5. Allow WebSocket connections and fetches to our API.

So far this has been tested on localhost.

@maxammann maxammann requested a review from a team as a code owner August 6, 2025 13:00
@vercel Vercel
Copy link

vercel bot commented Aug 6, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
modeling-app Ready Ready Preview Comment Aug 15, 2025 5:09pm

@jacebrowning jacebrowning marked this pull request as draft August 7, 2025 20:39
@maxammann maxammann marked this pull request as ready for review August 12, 2025 17:31
@jacebrowning jacebrowning requested a review from nadr0 August 12, 2025 17:40
jacebrowning
jacebrowning reviewed Aug 12, 2025
View reviewed changes
vite.config.ts Outdated
indexHtmlCsp(
// production means it was build using `vite build`
mode == 'production'
? process.env.VITE_KITTYCAD_BASE_DOMAIN === 'dev.zoo.dev'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will likely be the first place logic is tied to BASE_DOMAIN so I want to make sure @nadr0 signs off on this approach.

Copy link
Contributor

@nadr0 nadr0 Aug 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What would happen if someone changes the BASE_DOMAIN during runtime, would these HTML headers be bricked?

Someone that builds a production binary is allowed to point the base domain to any domain. Localhost, dev, zoogov.dev and production.

If this bricks that workflow we are going to need a new approach.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BASE_DOMAIN is only for vercel essentially. mode == 'produciton' is my way to detect if we build on vercel right now.

So probably changing that would be required.

The CSP does not allow connecting to gov or localhost right now, so either we adapt the CSP or include them in a certain configuration.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed the vercel detection and also only enabled CSP for "production" builds in web

nadr0
nadr0 requested changes Aug 12, 2025
View reviewed changes
Copy link
Contributor

@nadr0 nadr0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am blocking to prevent zoogov.dev from being bricked.

jacebrowning
jacebrowning reviewed Aug 12, 2025
View reviewed changes
@vercel Vercel
Copy link

vercel bot commented Aug 12, 2025

Deployment failed with the following error:

Could not parse File as JSON: vercel.json

maxammann
maxammann commented Aug 13, 2025
View reviewed changes
Copy link
Contributor Author

@maxammann maxammann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.

@vercel Vercel
Copy link

vercel bot commented Aug 13, 2025

Deployment failed with the following error:

The `vercel.json` schema validation failed with the following message: `headers[0].headers[1]` should NOT have additional property `_comment`

Learn More: https://vercel.com/docs/concepts/projects/project-configuration

@jacebrowning jacebrowning requested a review from iterion August 15, 2025 15:17
@maxammann maxammann requested a review from nadr0 August 15, 2025 21:14
@maxammann maxammann closed this Aug 15, 2025
@maxammann maxammann mentioned this pull request Aug 15, 2025
Merged
@maxammann maxammann deleted the maxammann/deploy-csp branch August 16, 2025 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jacebrowning jacebrowning jacebrowning left review comments

@iterion iterion iterion approved these changes

@lee-at-zoo-corp lee-at-zoo-corp Awaiting requested review from lee-at-zoo-corp

@nadr0 nadr0 Awaiting requested review from nadr0

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@maxammann @iterion @jacebrowning @nadr0 @lee-at-zoo-corp