Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(csp): update ol and fix webpack global emit (#2138) #6009

Merged
merged 2 commits into from
Dec 7, 2021
Merged

fix(csp): update ol and fix webpack global emit (#2138) #6009

merged 2 commits into from
Dec 7, 2021

Conversation

dagda1
Copy link
Contributor

@dagda1 dagda1 commented Nov 22, 2021
edited
Loading

Summary

We are using netlify-cms for a client who has a strict csp policy that would forbid adding:

"'unsafe-inline'",
"'unsafe-eval'",

to the csp.

After looking into the problem, it would appear that rbush which is here in the dependency tree:

netlify-cms
└─┬ [email protected] -> ./packages/netlify-cms-widget-map
  └─┬ [email protected]
    └── [email protected]

Is using new Function("blah" calls which will get blocked by csp unless the unsafe- directives are added.

Upgrading ol to 6.9.0 upgrades rbush to 3.0.1 where the new Function calls have been replaced:

netlify-cms
└─┬ [email protected] -> ./packages/netlify-cms-widget-map
  └─┬ [email protected]
    └── [email protected]
   
**Checklist**

Please add a `x` inside each checkbox:

- [x] I have read the [contribution guidelines](../CONTRIBUTING.md).
- [x] Code is formatted via running `yarn format`.
- [x] Tests are passing via running `yarn test`.
- [ ] The status checks are successful (continuous integration). Those can be seen below.

@dagda1 dagda1 requested a review from a team November 22, 2021 19:03
@dagda1 dagda1 changed the title fix(csp): update ol and fix webpack type (#2138) fix(csp): update ol and fix webpack global emit (#2138) Nov 22, 2021
@taras taras mentioned this pull request Nov 22, 2021
Draft
4 tasks
@erezrokah erezrokah added the type: bug code to address defects in shipped code label Nov 30, 2021
erezrokah
erezrokah suggested changes Dec 3, 2021
View reviewed changes
Copy link
Contributor

@erezrokah erezrokah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @dagda1, this breaks our demo site and our e2e tests.

See error from the deploy preview:
image

@dagda1 dagda1 requested a review from erezrokah December 6, 2021 13:33
@dagda1 dagda1 requested a review from erezrokah December 7, 2021 15:39
@dagda1 dagda1 force-pushed the fix/csp branch 2 times, most recently from 6b12e9e to 859e083 Compare December 7, 2021 16:09
erezrokah
erezrokah suggested changes Dec 7, 2021
View reviewed changes
babel.config.js Outdated Show resolved Hide resolved
@erezrokah
Copy link
Contributor

Added a comment, also not sure what's up with this check https://github.com/netlify/netlify-cms/pull/6009/checks?check_run_id=4446496928 as we don't use Azure pipelines

@dagda1
Copy link
Contributor Author

dagda1 commented Dec 7, 2021

Added a comment, also not sure what's up with this check https://github.com/netlify/netlify-cms/pull/6009/checks?check_run_id=4446496928 as we don't use Azure pipelines

I think it is because there was a merge conflict which is now fixed.

Everything is.........green (at this time of writing).

erezrokah
erezrokah approved these changes Dec 7, 2021
View reviewed changes
Copy link
Contributor

@erezrokah erezrokah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 This is good to go

@erezrokah erezrokah merged commit 4a4adf0 into decaporg:master Dec 7, 2021
@cowboyd cowboyd deleted the fix/csp branch December 7, 2021 19:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erezrokah erezrokah erezrokah approved these changes

Assignees
No one assigned
Labels
type: bug code to address defects in shipped code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dagda1 @erezrokah