Re: Freeze Break Request: Content security policy on src.fp.o

Pierre-Yves Chibon <pingou@xxxxxxxxxxxx> · Wed, 28 Aug 2019 13:15:47 +0200



On Wed, Aug 28, 2019 at 01:08:01PM +0200, Julen Landa Alustiza wrote:
> Good morning all!
> 
> Due to pagure's new default content security policy src.fp.o users are
> getting a csp-error since the ui is trying to fetch a js file from
> apps.fp.o and the policy denies it.
> 
> We need a configuration change on src.fp.o to modify the csp policy on
> src{.stg}.fp.o instances to allow clients to fetch js files from apps.fp.o
> 
> I opened an issue on the tracker[0], but since we are on freeze now here
> goes the same patch for a FBR.
> 
> Regards,
> 
> [0]: https://pagure.io/fedora-infrastructure/issue/8121
> -- 
> Julen Landa Alustiza

> From 2fb07c8164aa48330449b7b7ff917155d50210ea Mon Sep 17 00:00:00 2001
> From: Julen Landa Alustiza <jlanda@xxxxxxxxxxxxxxxxx>
> Date: Wed, 21 Aug 2019 16:59:26 +0200
> Subject: [PATCH] dist-git: Custom csp policy that allows connecting to
>  apps.fp.o
> 
> ---
>  roles/distgit/pagure/templates/pagure.cfg | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/roles/distgit/pagure/templates/pagure.cfg b/roles/distgit/pagure/templates/pagure.cfg
> index f3dd2c466..0aa7c7764 100644
> --- a/roles/distgit/pagure/templates/pagure.cfg
> +++ b/roles/distgit/pagure/templates/pagure.cfg
> @@ -296,4 +296,13 @@ PROJECT_NAME_REGEX = '^[a-zA-z0-9_][a-zA-Z0-9-_\.+]*$'
>  
>  HTTP_REPO_ACCESS_GITOLITE = None
>  
> +CSP_HEADERS = (
> +    "default-src 'self';"
> +    "script-src 'self' '{nonce_script}' https://apps.fedoraproject.org; "
> +    "style-src 'self' '{nonce_style}'; "
> +    "object-src 'none';"
> +    "base-uri 'self';"
> +    "img-src 'self' https:;"
> +)
> +
>  {% include "pagure_shared.cfg" %}

+1 for me

Happy to apply and run the playbook for it once we have another +1 :)


For the existing CSP policy: curl -I https://src.fedoraproject.org/rpms/fedocal


Thanks Julen,
Pierre
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx