Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CC license CSP error #14895

Merged
merged 4 commits into from
Jul 29, 2024
Merged

Fix CC license CSP error #14895

merged 4 commits into from
Jul 29, 2024

Conversation

janbrasna
Copy link
Contributor

@janbrasna janbrasna commented Jul 26, 2024
edited
Loading

One-line summary

CC serves their assets via mirror* subdomain, violating the CSP rule here. Keeping the policy loosened for just this one occurrence doesn't seem to be worth it so this PR stores the SVG badge for CC-BY-SA locally.

Significant changes and points to review

Also removes creativecommons.org from img-src CSP.

Issue / Bugzilla link

Fixes #14889

Testing

http://localhost:8000/en-US/foundation/licensing/website-content/
(+to see the additional report-only header locally, you have to provide some reporting endpoint in ENV for CSP_REPORT_URI)

@codecov Codecov
Copy link

codecov bot commented Jul 26, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.34%. Comparing base (d6c3871) to head (61dd061).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #14895   +/-   ##
=======================================
  Coverage   77.34%   77.34%           
=======================================
  Files         161      161           
  Lines        8348     8348           
=======================================
  Hits         6457     6457           
  Misses       1891     1891

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

alexgibson
alexgibson requested changes Jul 29, 2024
View reviewed changes
Copy link
Member

@alexgibson alexgibson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for helping out with this! Just a couple of things below:

bedrock/foundation/templates/foundation/licensing/website-content.html Outdated
<a rel="license" href="https://creativecommons.org/licenses/by-sa/3.0/deed.locale">
<img alt="Creative Commons License"src="https://creativecommons.org/images/public/somerights20.gif" width="88" height="31">
<a rel="license" href="https://creativecommons.org/licenses/by-sa/3.0/deed.locale" title="Creative Commons License">
<svg xmlns="http://www.w3.org/2000/svg" width="88" height="31" viewBox="0 0 88 31"><path fill="#AAB2AB" d="M2.499.352 85.626.5c1.161 0 2.198-.173 2.198 2.333l-.102 27.552H.401V2.73C.401 1.495.52.352 2.499.352z"/><path fill="#FFF" d="M25.316 14.449c.003 5.557-4.471 10.065-9.993 10.069-5.522.003-10.001-4.5-10.005-10.057v-.012C5.315 8.891 9.789 4.383 15.312 4.38c5.522-.004 10.001 4.5 10.005 10.057l-.001.012zM46.464 3.306c4.349 0 7.875 3.548 7.875 7.925s-3.526 7.926-7.875 7.926c-4.35 0-7.875-3.548-7.875-7.926-.001-4.377 3.525-7.925 7.875-7.925zm28.632 7.751c.003 4.314-3.47 7.814-7.757 7.818-4.286.003-7.765-3.492-7.769-7.806v-.012c-.002-4.314 3.471-7.814 7.758-7.817s7.765 3.492 7.768 7.806v.011z"/><path d="M23.446 6.252c2.217 2.232 3.326 4.964 3.326 8.197s-1.089 5.936-3.269 8.11c-2.313 2.289-5.046 3.434-8.2 3.434-3.116 0-5.802-1.135-8.057-3.405-2.256-2.271-3.383-4.982-3.383-8.138S4.99 8.561 7.246 6.252c2.198-2.232 4.884-3.348 8.057-3.348 3.212 0 5.926 1.116 8.143 3.348zM8.739 7.753c-1.875 1.905-2.812 4.138-2.812 6.698 0 2.561.928 4.773 2.783 6.64s4.064 2.801 6.627 2.801 4.791-.942 6.684-2.829c1.797-1.752 2.697-3.955 2.697-6.611 0-2.636-.914-4.874-2.74-6.712s-4.04-2.757-6.641-2.757-4.801.923-6.598 2.77zm4.933 5.572c-.287-.628-.715-.942-1.287-.942-1.011 0-1.516.685-1.516 2.054 0 1.37.505 2.055 1.516 2.055.667 0 1.145-.333 1.431-1.002l1.401.751c-.668 1.194-1.67 1.792-3.006 1.792-1.03 0-1.856-.317-2.476-.954-.621-.636-.931-1.512-.931-2.629 0-1.099.32-1.97.959-2.616s1.436-.968 2.39-.968c1.413 0 2.424.56 3.035 1.679l-1.516.78zm6.593 0c-.287-.628-.707-.942-1.261-.942-1.031 0-1.547.685-1.547 2.054 0 1.37.516 2.055 1.547 2.055.669 0 1.137-.333 1.404-1.002l1.433.751c-.667 1.194-1.667 1.792-3.001 1.792-1.029 0-1.853-.317-2.473-.954-.619-.636-.928-1.512-.928-2.629 0-1.099.314-1.97.943-2.616.628-.646 1.428-.968 2.4-.968 1.41 0 2.42.56 3.029 1.679l-1.546.78zM86.353 0H1.647C.739 0 0 .744 0 1.658v28.967c0 .207.167.375.372.375h87.256a.374.374 0 0 0 .372-.375V1.658C88 .744 87.261 0 86.353 0zM1.647.749h84.705c.498 0 .903.408.903.909v20.109H26.714c-2.219 4.038-6.494 6.779-11.401 6.779-4.908 0-9.183-2.738-11.4-6.779H.744V1.658c0-.501.405-.909.903-.909zM67.277 2.5c-2.355 0-4.349.827-5.98 2.481-1.675 1.712-2.512 3.737-2.512 6.077s.837 4.351 2.512 6.034c1.674 1.683 3.668 2.524 5.98 2.524 2.342 0 4.371-.849 6.089-2.546 1.616-1.611 2.427-3.616 2.427-6.012s-.824-4.422-2.471-6.077C71.677 3.327 69.662 2.5 67.277 2.5zm.022 1.54c1.93 0 3.569.685 4.918 2.054 1.361 1.355 2.043 3.01 2.043 4.964 0 1.968-.666 3.602-2.001 4.9-1.405 1.397-3.058 2.096-4.96 2.096-1.901 0-3.541-.691-4.917-2.074-1.376-1.384-2.064-3.024-2.064-4.921s.695-3.552 2.086-4.964c1.332-1.371 2.965-2.055 4.895-2.055zm-3.791 5.809c.34-2.153 1.846-3.304 3.733-3.304 2.716 0 4.369 1.982 4.369 4.626 0 2.58-1.76 4.584-4.411 4.584-1.824 0-3.457-1.13-3.755-3.347h2.143c.063 1.151.806 1.556 1.866 1.556 1.209 0 1.994-1.13 1.994-2.857 0-1.812-.679-2.771-1.951-2.771-.934 0-1.739.341-1.909 1.513l.623-.003-1.687 1.697-1.686-1.697.671.003zm-14.765-.911a.551.551 0 0 0-.55-.553h-3.478a.552.552 0 0 0-.55.553v3.5h.971v4.145h2.636v-4.145h.971v-3.5zM46.455 5.53c.656 0 1.189.536 1.189 1.197s-.533 1.197-1.189 1.197c-.657 0-1.189-.536-1.189-1.197s.532-1.197 1.189-1.197zm-.012-3.03c-2.355 0-4.349.827-5.981 2.481-1.675 1.711-2.512 3.737-2.512 6.076s.837 4.351 2.512 6.034c1.674 1.683 3.668 2.524 5.981 2.524 2.342 0 4.371-.849 6.088-2.547 1.619-1.611 2.428-3.615 2.428-6.012s-.823-4.421-2.47-6.076c-1.645-1.654-3.661-2.48-6.046-2.48zm.022 1.539c1.93 0 3.569.685 4.917 2.054 1.363 1.355 2.044 3.01 2.044 4.963 0 1.968-.666 3.602-2.001 4.9-1.405 1.398-3.058 2.096-4.96 2.096-1.901 0-3.541-.691-4.917-2.075-1.377-1.383-2.065-3.023-2.065-4.921 0-1.896.695-3.551 2.086-4.963 1.334-1.369 2.966-2.054 4.896-2.054z"/><path fill="#FFF" d="m69.277 24.171 1.816 4.888h-1.109l-.367-1.089h-1.816l-.381 1.089h-1.074l1.836-4.888h1.095zm.062 2.997-.612-1.793h-.014l-.633 1.793h1.259zm-6.079.682a.765.765 0 0 0 .234.277c.098.071.211.124.342.158.133.034.268.051.408.051.095 0 .197-.008.306-.023s.21-.047.306-.093a.66.66 0 0 0 .236-.188.472.472 0 0 0 .096-.305.43.43 0 0 0-.126-.321 1.001 1.001 0 0 0-.329-.206 3.269 3.269 0 0 0-.461-.143 13.5 13.5 0 0 1-.523-.138 4.963 4.963 0 0 1-.531-.167 1.798 1.798 0 0 1-.461-.258 1.18 1.18 0 0 1-.33-.393 1.217 1.217 0 0 1-.125-.572c0-.252.053-.469.16-.654.105-.184.246-.338.418-.462.172-.123.366-.214.584-.274.217-.059.436-.088.652-.088.254 0 .497.028.73.086.232.057.44.149.621.277.182.127.326.291.432.49.107.198.16.439.16.723h-1.036a.883.883 0 0 0-.091-.363c-.053-.096-.121-.172-.207-.227s-.184-.094-.295-.115a1.762 1.762 0 0 0-.361-.035c-.086 0-.172.01-.258.027a.694.694 0 0 0-.232.096c-.07.047-.129.104-.174.172s-.067.155-.067.26c0 .096.019.174.054.232.037.061.109.115.215.165s.254.101.441.151l.736.191c.092.018.217.051.377.1.161.047.32.123.479.229.159.105.296.246.412.422.115.176.173.4.173.674 0 .225-.044.432-.13.623a1.345 1.345 0 0 1-.384.496 1.833 1.833 0 0 1-.632.326 2.965 2.965 0 0 1-.874.116c-.268 0-.527-.033-.779-.1a1.952 1.952 0 0 1-.667-.312 1.552 1.552 0 0 1-.459-.543 1.62 1.62 0 0 1-.163-.78h1.036a.888.888 0 0 0 .087.418zm-17.287-3.679h1.198l1.138 1.931 1.13-1.931h1.19l-1.803 3.012v1.876h-1.07v-1.903l-1.783-2.985zm-1.975 0c.231 0 .442.021.633.062s.354.108.491.201a.95.95 0 0 1 .316.373c.075.155.112.348.112.575 0 .247-.055.451-.167.616a1.2 1.2 0 0 1-.493.402c.3.088.523.239.672.456.148.218.223.479.223.784 0 .246-.049.46-.144.641-.095.18-.224.327-.386.441a1.713 1.713 0 0 1-.552.254 2.47 2.47 0 0 1-.638.082h-2.358V24.17h2.291v.001zm-.137 1.976a.774.774 0 0 0 .47-.136c.123-.092.185-.239.185-.444 0-.114-.021-.208-.062-.28s-.095-.129-.164-.17-.146-.07-.235-.086a1.558 1.558 0 0 0-.276-.023h-1v1.14h1.082zm.062 2.075c.105 0 .205-.01.3-.03a.72.72 0 0 0 .252-.104c.073-.047.13-.112.174-.194s.065-.187.065-.315c0-.25-.071-.43-.212-.536-.141-.107-.328-.161-.559-.161h-1.166v1.341h1.146z"/></svg>
Copy link
Member

@alexgibson alexgibson Jul 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we please load this as a regular <img>? I don't think we really gain much here by in-lining the image, and having inline images makes them hard to search for in the future.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I originally used a more modern iconography, that was just a few shapes:

Screenshot 2024-07-29 at 11 07 44

But they seem not to use the "some rights reserved" tagline much these days anymore, so I opted for one of the buttons instead eventually.

Looking at this button code, it's rather large, yea. I'll move it out.

bedrock/settings/__init__.py Outdated
@@ -270,6 +270,7 @@
# CSP directive updates we're testing that we hope to move to the enforced policy.
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["frame-ancestors"] = [csp.constants.NONE]
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["style-src"].remove(csp.constants.UNSAFE_INLINE)
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["img-src"].remove("creativecommons.org")
Copy link
Member

@alexgibson alexgibson Jul 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we are pretty safe just to remove creativecommons.org from _csp_img_src entirely, as a quick search suggests this is the only image we load from that domain.

alexgibson
alexgibson approved these changes Jul 29, 2024
View reviewed changes
Copy link
Member

@alexgibson alexgibson left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r+ thanks!

I'm going to hold off merging this as we're now in a code freeze for our upcoming company moz-week event. But we'll merge this after Aug 19th.

@janbrasna
Copy link
Contributor Author

Ack. Did my best to hotfix it beforehand;) to silence the logs/reports, but given this page is outside of any IA structure it hopefully won't get much pings during the few weeks.

@alexgibson
Copy link
Member

but given this page is outside of any IA structure it hopefully won't get much pings during the few weeks.

Yeah this page gets very little (to virtually no) traffic. It's likely content that we will remove/migrate somewhere else in the mid-term future as part of the site refresh.

@alexgibson alexgibson added Frontend HTML, CSS, JS... client side stuff P3 Third level priority - Nice to have labels Jul 29, 2024
@alexgibson
Copy link
Member

Going to merge this (we discussed thing like this are OK to merge, but we won't deploy them)

@alexgibson alexgibson merged commit cdefcaf into mozilla:main Jul 29, 2024
5 checks passed
@janbrasna janbrasna deleted the fix/cc-csp branch July 29, 2024 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexgibson alexgibson alexgibson approved these changes

Assignees
No one assigned
Labels
Frontend HTML, CSS, JS... client side stuff P3 Third level priority - Nice to have
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CSP img error on /foundation/licensing/website-content/
2 participants
@janbrasna @alexgibson