Skip to content
This repository has been archived by the owner on Mar 20, 2023. It is now read-only.

update CSP setting #901

Merged
merged 1 commit into from
Jul 8, 2022
Merged

update CSP setting #901

merged 1 commit into from
Jul 8, 2022

Conversation

ChunxiAlexLuo
Copy link
Contributor

@ChunxiAlexLuo ChunxiAlexLuo commented Jul 8, 2022
edited
Loading

@ChunxiAlexLuo
update CSP setting
3e61178 
Signed-off-by: Chunxi Luo chuluo@redhat.com
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jul 8, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@pshickeydev
Copy link

@ChunxiAlexLuo while the CSP is good, the X-XSS-Protection (even if largely deprecated) I expect will be a problem for the customer. The CSP may prevent XSS, but the Protection header certainly shouldn't be set to disabled.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

I'm also not an owner so my approval will not trigger any merge.

@ChunxiAlexLuo
Copy link
Contributor Author

ChunxiAlexLuo commented Jul 8, 2022
edited
Loading

@ChunxiAlexLuo while the CSP is good, the X-XSS-Protection (even if largely deprecated) I expect will be a problem for the customer. The CSP may prevent XSS, but the Protection header certainly shouldn't be set to disabled. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

I'm also not an owner so my approval will not trigger any merge.

I also noticed this before this PR and found the helmet default disable X-XSS-Protection, if you think there is a need I can try to enable it in the helmet. helmetjs/helmet#230

Just let you review and if you think it is LGTM then @dhaiducek or @JustinKuli can approve it

@pshickeydev
Copy link

Checking the triage doc it looks like X-XSS-Protection was not a header they were concerned with.
/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jul 8, 2022
@openshift-ci
Copy link

openshift-ci bot commented Jul 8, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ChunxiAlexLuo, dhaiducek, pshickeydev

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [ChunxiAlexLuo,dhaiducek]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dhaiducek dhaiducek mentioned this pull request Jul 8, 2022
Merged
@openshift-ci openshift-ci bot merged commit bf6beb3 into stolostron:release-2.4 Jul 8, 2022
@pshickeydev
Copy link

Determined in https://github.com/stolostron/backlog/issues/23853#issuecomment-1198611555 that this PR does not address issue #23853

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dhaiducek dhaiducek dhaiducek approved these changes

@pshickeydev pshickeydev Awaiting requested review from pshickeydev

Assignees

@dhaiducek dhaiducek

@pshickeydev pshickeydev

Labels
approved dco-signoff: yes lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ChunxiAlexLuo @pshickeydev @dhaiducek