Security Rules

[colinbes]

Finally getting to upgrade to Lift 3 (yay).

I am getting script-src content security warning due to lift-ng inserting js into page (inserting service calls) amongst others, eg

<script type="text/javascript">
  // <![CDATA[
  angular.module("bc.services",["lift-ng"]).factory("deviceService",["liftProxy", function(liftProxy{
  return {"getUsageTo": function(json) {return ...
);
// ]]>
</script>

Any suggestions or do I need to set script-src policy using LiftRules.securityRules as below?

scriptSources = List(
  ContentSourceRestriction.UnsafeEval,
      ContentSourceRestriction.UnsafeInline,
      ContentSourceRestriction.Self
   )

[joescii]

Hey Colin! This one slipped off my radar. Did you get CSP configured for your needs? One of these days I hope to refactor lift-ng to not need this tweaking.

[colinbes]

No problem. For now I have just set security policies via lift rules and also enabled extractInlineJavaScript. Not ideal (I think) but allows me to continue.

LiftRules.securityRules = () => {
  SecurityRules(content = Some(ContentSecurityPolicy(
    styleSources = List(
      ContentSourceRestriction.UnsafeInline,
      ContentSourceRestriction.All
    ),
    connectSources = List(
        ContentSourceRestriction.All
    ),
    scriptSources = List(
      ContentSourceRestriction.UnsafeEval,
      ContentSourceRestriction.UnsafeInline,
      ContentSourceRestriction.Self
    ),
    imageSources = List(
        ContentSourceRestriction.UnsafeInline,
        ContentSourceRestriction.Self
    )        
  )))
} 

LiftRules.extractInlineJavaScript = true