Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP cause Netlify CMS failed to open #651

Closed
mazipan opened this issue Aug 12, 2021 · 13 comments · Fixed by #653 or #658
Closed

CSP cause Netlify CMS failed to open #651

mazipan opened this issue Aug 12, 2021 · 13 comments · Fixed by #653 or #658
Assignees
@zainfathoni
Labels
bug Something isn't working high-priority Issue with high priority security Web security

Comments

@mazipan
Copy link
Member

mazipan commented Aug 12, 2021
edited
Loading

Description

On #634 we have CSP related pull-request for issue #611

It cause our CMS Netlify failed to open on https://www.wargabantuwarga.com/admin/

Preview Blank Page:

Screen Shot 2021-08-12 at 14 39 54

Error:

Screen Shot 2021-08-12 at 14 39 48

Content Security Policy: The page’s settings blocked the loading of a resource at https://identity.netlify.com/v1/netlify-identity-widget.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://unpkg.com/netlify-cms@%5E2.0.0/dist/netlify-cms.js (“script-src”).

Expected Behaviour

Should not effected

Additional Info

Our homepage also show error

Screen Shot 2021-08-12 at 14 43 59

Content Security Policy: The page’s settings blocked the loading of a resource at https://analytics.google.com/g/collect?v=2&tid=G-Q32QC5END5&gtm=2oe8b0&_p=1768343212&sr=1920x1080&_gaz=1&ul=en-us&cid=1694819148.1628219111&_s=1&dl=https%3A%2F%2Fwww.wargabantuwarga.com%2F&dt=Informasi%20Faskes%20%26%20Alkes%20untuk%20COVID-19%20%7C%20Warga%20Bantu%20Warga&sid=1628753583&sct=9&seg=1&en=page_view&ep.debug_mode=true (“default-src”).
@mazipan mazipan added bug Something isn't working high-priority Issue with high priority labels Aug 12, 2021
@mazipan mazipan changed the title CSP cause CMS failed to open CSP cause Netlify CMS failed to open Aug 12, 2021
@mazipan
Copy link
Member Author

mazipan commented Aug 12, 2021

Call @asaadam & @resir014

@mazipan mazipan mentioned this issue Aug 12, 2021
Merged
2 tasks
@asaadam
Copy link
Contributor

asaadam commented Aug 12, 2021

oh sorry.
i will fix now

@asaadam asaadam mentioned this issue Aug 12, 2021
Merged
@kodiakhq kodiakhq bot closed this as completed in #653 Aug 12, 2021
@mazipan mazipan reopened this Aug 12, 2021
@mazipan
Copy link
Member Author

mazipan commented Aug 12, 2021

Keep this OPEN for now, for discussion w @resir014 later

@resir014
Copy link
Member

resir014 commented Aug 12, 2021
edited
Loading

@mazipan @asaadam We forgot to add the domains for Cloudinary as well.

image

Edit: #651.

@resir014 resir014 added the security Web security label Aug 12, 2021
@resir014 resir014 mentioned this issue Aug 12, 2021
Merged
2 tasks
@asaadam
Copy link
Contributor

asaadam commented Aug 12, 2021

just wondering, can we merge [[headers]] to one like this?

[[headers]]
  for ="/admin/*
  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    X-Content-Type-Options = "nosniff"
    Referrer-Policy = "same-origin"
    Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com 'unsafe-eval'; img-src 'self' blob: data: https:; frame-ancestors 'none'; "
    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()"
  for = "/*"
  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    X-Content-Type-Options = "nosniff"
    Referrer-Policy = "same-origin"
    Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com analytics.google.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; "
    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()"
   for = "/_next/static/*"
   [headers.values]
    Cache-Control = "public, max-age=31536000, immutable"

it's also try to disabled 'unsafe-eval' except on admin page

@resir014
Copy link
Member

No. As per the TOML spec, each [[headers]] must exist on its own.

@mazipan
Copy link
Member Author

mazipan commented Aug 12, 2021
edited
Loading

I think the order was wrong @asaadam.

Should

[[headers]]
  for = "/*"
  [headers.values]
    # value
  for = "/admin/*"
  [headers.values]
    # value
  for = "/_next/static/*"
  [headers.values]
    Cache-Control = "public, max-age=31536000, immutable"

@asaadam
Copy link
Contributor

asaadam commented Aug 12, 2021
edited
Loading

I think the order was wrong @asaadam.

Should

[[headers]]
  for = "/*"
  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    X-Content-Type-Options = "nosniff"
    Referrer-Policy = "same-origin"
    Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com analytics.google.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; "
    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()"
  for ="/admin/*
  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    X-Content-Type-Options = "nosniff"
    Referrer-Policy = "same-origin"
    Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com 'unsafe-eval'; img-src 'self' blob: data: https:; frame-ancestors 'none'; "
    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()"
   for = "/_next/static/*"
   [headers.values]
    Cache-Control = "public, max-age=31536000, immutable"

hmm, that make sense. oke i will try it

but as @resir014 comment, we should have seperate [[headers]] for each domain

@mazipan
Copy link
Member Author

mazipan commented Aug 12, 2021

Not sure about that 😂
I don't have knowledge to setting up Netlify TOML

@asaadam
Copy link
Contributor

asaadam commented Aug 12, 2021

okay I will try to create PR 😆

@mazipan
Copy link
Member Author

mazipan commented Aug 12, 2021
edited
Loading

Try reading some references first.
So we are not coding in blind

https://docs.netlify.com/routing/headers/
https://toml.io/en/v1.0.0-rc.3#array-of-tables

Hmmm, I hate TOML, why not just use YAML ya 😂

@asaadam
Copy link
Contributor

asaadam commented Aug 12, 2021

Try reading some references first.
So we are not coding in blind

https://docs.netlify.com/routing/headers/
https://toml.io/en/v1.0.0-rc.3#array-of-tables

Hmmm, I hate TOML, why not just use YAML ya 😂

based on this code

[[plugins]]
  package = "@netlify/plugin-nextjs"

[[plugins]]
  package = "netlify-plugin-cache-nextjs"

[[plugins]]
  package = "netlify-plugin-image-optim"

I assume we must declare [[headers]] again.

same here why not just use YAML 😂.

hopefully next header will soon can be used in netlifly, so we don't need to declare headers again 😭

@asaadam asaadam mentioned this issue Aug 12, 2021
Merged
@resir014
Copy link
Member

I thought I replied to this, but yeah, nope. As per the TOML spec, you must declare each [[headers]] separately. @asaadam @mazipan

@kodiakhq kodiakhq bot closed this as completed in #658 Aug 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zainfathoni zainfathoni

Labels
bug Something isn't working high-priority Issue with high priority security Web security
Projects
None yet
Milestone
No milestone
4 participants
@asaadam @resir014 @zainfathoni @mazipan