Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
This adds CSP headers for the webapp in development mode and into the built docker image.
The used CSP headers are at the moment:
script-src: * 'unsafe-inline';
. This will preventunsafe-eval
execution, which will prevent executing any form ofeval
,new Function
, etc. where code is executed from a string. This will increase security slightly.We unfortunately can't go much beyond this, since several third-party libraries we're using are injecting script directly into HTML (and thus require
unsafe-inline
). Given that we have no pre-processing web server, we can't leverage dynamically generated nounces, to make those inline scripts potentially safer.Another problem is, that we're using Google Tag Manager and Segment, which might pull in scripts dynamically configured in those systems. To keep those scripts working (and allow our Go-To-Market team to further use and add more scripts), we can't limit the source to more than
*
, since we'd otherwise need a new release for every new script/tool embedded via Google Tag Manager, which would defy the whole purpose of using tools like Google Tag Manager. Since all those libraries can or already do pull in styles we can't narrow that down any further.