Issue #8418: Content Security Policy on src.fedoraproject.org breaks requests to pdc.fedoraproject.org - fedora-infrastructure

fedora-infrastructure

#8418 Content Security Policy on src.fedoraproject.org breaks requests to pdc.fedoraproject.org

Closed: Fixed 4 years ago by pingou. Opened 4 years ago by till.

From the Chrome console when accessing https://src.fedoraproject.org/rpms/bash/branches?branchname=master

Refused to connect to 'https://pdc.fedoraproject.org/rest_api/v1/component-branches/?active=false&type=rpm&global_component=bash' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Also note, that the retired branches should be greyed out which makes the problem visible without looking at the Chrome console.

Metadata Update from @smooge:
- Issue assigned to pingou
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: src.fp.o

4 years ago

jlanda commented 4 years ago

connect-src should be enough for ajax requests: https://content-security-policy.com/

Edited 4 years ago by jlanda

pingou commented 4 years ago

Applied in https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=8037fd8

I've also adjusted the config to allow calling mdapi: https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=df99777

pingou commented 4 years ago

My fix to mdapi doesn't quite seem to work though accessing https://src.fedoraproject.org/rpms/bash I still see some errors in the console. I'll see tomorrow about this.

jlanda commented 4 years ago

My fix to mdapi doesn't quite seem to work though accessing https://src.fedoraproject.org/rpms/bash I still see some errors in the console. I'll see tomorrow about this.

my firefox complains about script-src rules with mdapi, try moving it to script-src

pingou commented 4 years ago

@jlanda good catch that was it! :)

It still fails because of mime-type mis-match but that's something to fix in mdapi, it's no longer a CSP issue.

Thanks! :)

Metadata Update from @pingou:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

jlanda commented 4 years ago

I'm not so sure if the problem is on mdapi:

On a curl -I to https://mdapi.fedoraproject.org/rawhide/srcpkg/bash?callback=jQuery3410901376464649285_1574931632973&_=1574931632974 :
content-type: application/json; charset=utf-8

and actually, is returning json, but firefox does not like json on a <script src>? should we change mdapi to set content-type to a javascript allowed one, complain to firefox por not allowing script srcs to application/json, or what? :D

Metadata

Assignee

pingou

Tags

Blocking

None

Depending on

None

Priority

Waiting on Assignee

Attachments 1

0001-distgit-content-security-policy-allow-connect...

Attached 4 years ago View Comment

fedora-infrastructure

Source Code

#8418 Content Security Policy on src.fedoraproject.org breaks requests to pdc.fedoraproject.org Closed: Fixed 4 years ago by pingou. Opened 4 years ago by till.

Metadata

src.fp.o

Attachments 1

#8418 Content Security Policy on src.fedoraproject.org breaks requests to pdc.fedoraproject.org

Closed: Fixed 4 years ago by pingou. Opened 4 years ago by till.