#69 coreos-download: Fixes for CSP
Merged a year ago by codeblock. Opened a year ago by rfairley.
fedora-web/ rfairley/websites rfairley-enhancements  into  master

@@ -6,7 +6,6 @@ 


  {% block content %}

  {{submenu(edition="coreos", active="download")}}

- <link rel="stylesheet" type="text/css" href="{{ url_for('static',filename='css/coreos-download.css') }}">

  <div class="bg-tranparent py-5">

    <div class="container">

      <div class="row align-items-center">
@@ -32,7 +31,7 @@ 

  {% block js %}

  <!-- Use the Vue runtime build only,to avoid use of eval() in the full build,

    which is blocked by the CSP. -->

- <script type="text/javascript" src="{{ url_for('static', filename='js/vue.runtime.min.js') }}"></script>

- <script type="text/javascript" src="{{ url_for('static', filename='js/coreos-download.js') }}"></script>

+ <script src="{{ url_for('static', filename='js/vue.runtime.min.js') }}"></script>

+ <script src="{{ url_for('static', filename='js/coreos-download.js') }}"></script>

  {{ super() }}

  {% endblock %}

The page at https://getfedora.org/en/coreos/download/ is currently showing (in Firefox):

The resource from “https://getfedora.org/static/css/coreos-download.css” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff).
The resource from “https://getfedora.org/static/js/vue.runtime.min.js” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff).
Loading failed for the <script> with source “https://getfedora.org/static/js/vue.runtime.min.js”. download:1:1
The resource from “https://getfedora.org/static/js/coreos-download.js” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff).
Loading failed for the <script> with source “https://getfedora.org/static/js/coreos-download.js”.

The coreos-download.css file should not be included: missed this in PR #46.

I have also removed type="text/javascript" from the script tags, as this is how it was before PR #46 (in commit https://pagure.io/fork/rfairley/fedora-web/websites/c/bf54659adf94794f82ee5a2372c72b55db3e1f3b).

This is an attempt to fix the CSP errors - I have verified this through the Flask development server but not tested it against the CSP.

So, these issues are not related to CSP.
These error are caused by the urls that are trying to be included just not existing at the locations requested.
Note I do think your patch might fix it (not checked that exactly), but I can say that this is NOT related to the Content Security Policy rules, just 404s.

@puiterwijk thanks, that makes sense. I think that explains why having type="text/javascript" in the script tags has worked previously - if the missing coreos-download.css file is causing the other problems.

@rfairley that is indeed the issue, the missing coreos-download.css.

You've led me down a rabbit hole though and there's a bigger issue here in the build-prod.sh script that I need to look at tomorrow.

Here's what happened:

  • The static build bombed out because coreos-download.css doesn't exist and it wanted it to exist.
  • At this point, the production build should have given up and said "Okay, nope, we're done, good day, fix your stuff."
  • Instead, however, the production build proceeded to sync the partially built static site out. THe result is that the pages are all there (luckily), but a bunch of the static assets (the extra JS files, mostly) are missing because the build bombed out before frozen-flask could copy them in.

So I need to fix build-prod.sh tomorrow so that never happens again. For now, I will merge this, which removes the reference to the missing file, and will succeed the build and fix things.

Pull-Request has been merged by codeblock

a year ago