lucky icon indicating copy to clipboard operation
lucky copied to clipboard
verified publisher icon luckyframework

Lucky bug reporting conflicts with user Content-Security-Policy

Open BrucePerens opened this issue 5 years ago • 4 comments

When Lucky reports an exception to the developer, it uses inline javascript. If the user has set a restrictive Content-Security-Policy, this is rejected. Solution: provide a way, per request, for the user to set a nonce, or for Lucky to generate a nonce for the user using Random::Secure.base64. Add the nonce to the <script> tag, as in <script nonce="...">.

In a separate issue I will discuss how to implement a content-security-policy facility in Lucky.

BrucePerens avatar Dec 04 '20 18:12 BrucePerens

You're referring to the error page that shows up, right? Where you can expand the error details and all that? We currently use https://github.com/crystal-loot/exception_page for that page. We may need to consider using a forked version depending on what the best solution is 🤔

jwoertink avatar Dec 04 '20 18:12 jwoertink

Will file with @Sija, let's continue to track here.

BrucePerens avatar Dec 04 '20 19:12 BrucePerens

Filed as https://github.com/crystal-loot/exception_page/issues/17

BrucePerens avatar Dec 04 '20 19:12 BrucePerens

We still need a general mechanism to set the nonce in Lucky, not in every shard that Lucky uses that needs it.

BrucePerens avatar Dec 04 '20 19:12 BrucePerens

This is fixed already

jwoertink avatar Aug 14 '22 17:08 jwoertink