Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CSP improvement opportunities

See original GitHub issue

I came across this issue just now which makes a good point about nonce reuse due to it being defined at build time.

I also wonder if it wouldn’t be better to set a CSP from the main process to ensure it will apply to any newly created windows? Doing it from within Electron would allow for setting nonce at runtime rather than build time, and additionally would allow for users to access the nonce for packages they use which need the value, like Emotion (and I assume Styled-Components.)

   session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
     details.responseHeaders['Content-Security-Policy'] = cspString;
     callback({ responseHeaders: details.responseHeaders });
   });

Issue Analytics

  • State:open
  • Created 3 years ago
  • Comments:19 (18 by maintainers)

github_iconTop GitHub Comments

1reaction
Slapboxcommented, Aug 10, 2022

Sorry for the lengthy delay @reZach - I was leaving this unread until I could get to it, but somehow it ended up read.

The dynamic nonce approach I mentioned doesn’t seem worth the extra effort that resource hashes might have been worth.

If someone does have the bandwidth to complete that PR to satisfy the requested changes, that would probably be best - but I’m not 100% sure that that would result in the PR being merged so it’s hard to feel like it’s worth the effort (for us at least) compared with other objectives we’re working to complete.

Unless someone does undertake completing that PR, I’m in the “wait and see” boat for this one. It would be a nice security improvement, but it’s not like security is completely broken without it.

1reaction
reZachcommented, Jun 29, 2022

@Slapbox the PR was closed, I briefly read it - did you have a recommendation for moving forward with this one?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Top 5 ideas for CSPs to improve customer experience
What's required to improve customer experience? – Top 5 ideas for CSPs · #1 Embrace automation · #2 Be transparent, enable diverse pricing...
Read more >
CSP Enhancements and Bundles
Nationwide collaborative process working to maintain and improve the management, productivity, and health of privately owned grazing land.
Read more >
Four ways CSP's can improve customer service - Glympse
Four ways CSP's can improve customer service · 1. “Own” the end-to-end offering – beginning with the network. Delivering a superior product ...
Read more >
IMPROVING CSP
IMPROVING CSP. Support Agreement – 01.2020. This Support Agreement (“Agreement”) sets forth the terms and conditions under which ProSource IT.
Read more >
Concentrating Solar Power: Advanced Projects Offering Low ...
Additionally, this is the first time that operations and maintenance projects have been a key focus of one of SunShot's CSP funding programs....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Blank screen on first load (I'm probably doing something wrong)

Next page

Cloning repo and running results in "Uncaught Error: Cannot find module 'process/browser'"