Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BackgroundIframeJs violating CSP #192

Open
elijah1210 opened this issue Jul 30, 2021 · 3 comments
Open

BackgroundIframeJs violating CSP #192

elijah1210 opened this issue Jul 30, 2021 · 3 comments

Comments

@elijah1210
Copy link

elijah1210 commented Jul 30, 2021
edited
Loading

I am attempting to implement a CSP, using self, some domains, some hashes as well as a nonce.

My CSP is flagging script-src-elem when attempting to run line 75 of BackgroundIframe.js. I believe that it is because the iframe src property is being set to javascript:"".

Removing the explicit setting of the src to javascript:'' solves the issue.
@wkeese
Copy link
Member

wkeese commented Aug 1, 2021

A cleaner workaround is probably to just disable the background iframe altogether, i.e. something like:

<script>
    dojoConfig= {
        has: {
            "config-bgIframe": false
        },
        ...
    };
</script>

... although looking at the code, it currently only creates the background iframe for IE and the old (pre-chromium) version of edge. Were you testing on IE? The iframe might still be needed there, not sure.

@elijah1210
Copy link
Author

@wkeese I wasn't testing on IE, for some reason it got triggered in Chrome, I'm not 100% sure why something like this would have happened. It's a legacy application so there might have been some work done to make it so that it gets called always to keep behaviour consistent across all browsers?
Additionally, after many attempts by members of my team to upgrade dojo, I have reason to believe that the source was modified itself and as a result, I am stuck on 1.10.4 so I don't know if I can disable the bgIframe in that manner or if the fact that it was triggered was custom.
I'd also like to avoid constantly modifying the source if I can help it. I would like to minimize my personal effect on making our upgrade process laborious.

@wkeese
Copy link
Member

wkeese commented Aug 3, 2021

Sounds pretty complicated. I agree of course that you shouldn't modify dojo's source if you can help it. To be clear, I was talking about setting dojoConfig in your application, not modifying the dojo source.

Like you said, maybe your app/company set the BackgroundIframe to show up for all browsers, via dojoConfig or modifying the source code.

I double-checked the BackgroundIframe.js in https://github.com/dojo/dijit/releases/tag/1.10.4, i.e. https://github.com/dojo/dijit/blob/03e1c2418c1eae2aa96bb536cc778499827e07aa/BackgroundIframe.js, and (AFAICT) it only enables the iframe for IE and MSEdge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wkeese @elijah1210