feature: adds dev-time CSP headers #3456
Conversation
✅ Deploy Preview for kuma-gui ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Cool, thanks! I addressed the inlines also, remember this is only dev-time so we can always come back and tweak things here. If you spot anything that we would usually do in development that we now can't for whatever reason lemme know Gonna go ahead and merge 👍 |
|
Oh wait I just thought of something else I should check 😅 brb! |
|
😅 I added a straight-forward guard so we can turn this off in places we might need to. Later on I'll probably expand this so we can inject the config from The Outside |
I made #3458 which hopefully will allow us to remove the |
Signed-off-by: John Cowen <[email protected]>
Signed-off-by: John Cowen <[email protected]>
johncowen
force-pushed
the
feature/add-dev-csp-headers
branch
from
4f6988a to
2c7ce50
Compare
Signed-off-by: John Cowen <[email protected]>
|
Hey sorry, I think I want to have only one PR go in for this as a single reference. At the moment I'm trying to make improve things by removing the need for 🤔 I'm going to move this to draft even though it has approval, and look for approval again once I'm happy that I've definitely finished here, just so its clearer what I'm doing. |
Adds stricter CSP headers to our development vite server.
Whilst this is dev time only, it ensures that our GUI runs on a similarly configured server (such as kumahq/kuma#12553)
As mentioned in other places, it would be good to add work so we can remove the
style-src 'unsafe-inline'. This will require a globally availablev-styledirective which adds/removes/modifies styles imperatively behind the scenes.Testing:
Using
make run, add the following or similar anchor with an inline script and click it.