Page MenuHomeElementl

[dagit] Introduce a CSP
ClosedPublic

Authored by dish on Jul 16 2021, 5:49 PM.

Details

Summary

Add a CSP to the Dagit app.

  • Lock down default-src and override with some 'self' and a few other minor needs.
  • In prod usage, within app.py, generate a one-time nonce and insert into index.html. This is used as __webpack_nonce__ (https://webpack.js.org/guides/csp/), which can then be consumed by styled-components.
  • In development, allow inline style and script since we won't have a nonce.
Test Plan

Load Dagit in development. Verify that the app loads properly, and that scripts, XHR, WebSockets, images, styles, etc. all work as expected, with no CSP errors.

yarn build-for-python to generate a prod build, then run Dagit with it. Verify same as above, and verify that the nonce is generated anew on pageloads, and is consumed correctly by styled-components.

Diff Detail

Repository
R1 dagster
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Examples:

Prod:

<meta http-equiv="Content-Security-Policy" content="base-uri 'self'; object-src 'none'; script-src 'self' 'nonce-8645ed76c6ee427abdfd76c042388f2d'; style-src 'self' 'nonce-8645ed76c6ee427abdfd76c042388f2d'; default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; manifest-src 'self'">

Dev:

<meta http-equiv="Content-Security-Policy" content="base-uri 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' 'unsafe-eval'; style-src 'unsafe-inline' 'self' 'unsafe-eval'; default-src 'none'; connect-src 'self' ws:; font-src 'self'; img-src 'self' data:; manifest-src 'self'">
dish requested review of this revision.Jul 16 2021, 6:14 PM
This revision is now accepted and ready to land.Jul 16 2021, 6:34 PM
This revision was automatically updated to reflect the committed changes.