-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Content Security Policy headers to all jQuery content sites #54
Comments
Prevent future regressions. Ref #3. Ref jquery/infrastructure-puppet#54
This also depends on jquery/jquery-wp-content#463 Also, the nginx changes are only being deployed to staging atm. |
@timmywil Of the three changed roles, only grunt has staging. It seems https://stage.gruntjs.com/ is now down. I guess an nginx syntax error? |
After consulting the docs, I don't see anything obviously wrong with the syntax. Instead, I think the issue has to do with the grunt site's use of |
@timmywil That didn't seem to bring the site back. I tried logging into the droplet, to check its puppet log and nginx error, but it's not responding to SSH. Looks like something on 22 Aug (two days before your first patch). Could it be a coincidence? |
I've rebooted the instance and the site is now back up. Investigation at #60 (unrelated to this). |
https://demos.jquerymobile.com/1.4.5/listview-autocomplete-remote/ - script-src addition for gd.geobytes.com https://demos.jquerymobile.com/1.5.0-rc1/map-geolocation/ - script-src, connect-src, and style-src additions for google maps https://demos.jquerymobile.com/1.4.5/datepicker/ - script-src and style-src additions for jsdelivr assets Ref jquery#54
Number of CSP reports is very low now. It's getting hard to find legitimate reports. The latest PR covers everything I could find from the last 24 hours. I think once that's merged, we can switch to non-report headers, but leave the logs on to watch for anything I might have missed. |
https://demos.jquerymobile.com/1.4.5/listview-autocomplete-remote/ - script-src addition for gd.geobytes.com https://demos.jquerymobile.com/1.5.0-rc1/map-geolocation/ - script-src, connect-src, and style-src additions for google maps https://demos.jquerymobile.com/1.4.5/datepicker/ - script-src and style-src additions for jsdelivr assets Ref gh-54 Closes gh-70
Need to switch to non-report headers in jquery-wp-content as well, but first we need to test the production sites. That should be quick as I've tested all the staging sites already and the content should match. But, a few wordpress sites do not have staging equivalents (i.e. blogs). |
- disable style tag added in WordPress 6.7 Ref jquery/infrastructure-puppet#54 Closes gh-473
Remaining items:
Then we can finally call this done, but continue watching logs for anything I missed. |
Proposed header value
This should be tested with a report header first
The text was updated successfully, but these errors were encountered: