-
Notifications
You must be signed in to change notification settings - Fork 913
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CC license CSP error #14895
Fix CC license CSP error #14895
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #14895 +/- ##
=======================================
Coverage 77.34% 77.34%
=======================================
Files 161 161
Lines 8348 8348
=======================================
Hits 6457 6457
Misses 1891 1891 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for helping out with this! Just a couple of things below:
<a rel="license" href="https://creativecommons.org/licenses/by-sa/3.0/deed.locale"> | ||
<img alt="Creative Commons License"src="https://creativecommons.org/images/public/somerights20.gif" width="88" height="31"> | ||
<a rel="license" href="https://creativecommons.org/licenses/by-sa/3.0/deed.locale" title="Creative Commons License"> | ||
<svg xmlns="http://www.w3.org/2000/svg" width="88" height="31" viewBox="0 0 88 31"><path fill="#AAB2AB" d="M2.499.352 85.626.5c1.161 0 2.198-.173 2.198 2.333l-.102 27.552H.401V2.73C.401 1.495.52.352 2.499.352z"/><path fill="#FFF" d="M25.316 14.449c.003 5.557-4.471 10.065-9.993 10.069-5.522.003-10.001-4.5-10.005-10.057v-.012C5.315 8.891 9.789 4.383 15.312 4.38c5.522-.004 10.001 4.5 10.005 10.057l-.001.012zM46.464 3.306c4.349 0 7.875 3.548 7.875 7.925s-3.526 7.926-7.875 7.926c-4.35 0-7.875-3.548-7.875-7.926-.001-4.377 3.525-7.925 7.875-7.925zm28.632 7.751c.003 4.314-3.47 7.814-7.757 7.818-4.286.003-7.765-3.492-7.769-7.806v-.012c-.002-4.314 3.471-7.814 7.758-7.817s7.765 3.492 7.768 7.806v.011z"/><path d="M23.446 6.252c2.217 2.232 3.326 4.964 3.326 8.197s-1.089 5.936-3.269 8.11c-2.313 2.289-5.046 3.434-8.2 3.434-3.116 0-5.802-1.135-8.057-3.405-2.256-2.271-3.383-4.982-3.383-8.138S4.99 8.561 7.246 6.252c2.198-2.232 4.884-3.348 8.057-3.348 3.212 0 5.926 1.116 8.143 3.348zM8.739 7.753c-1.875 1.905-2.812 4.138-2.812 6.698 0 2.561.928 4.773 2.783 6.64s4.064 2.801 6.627 2.801 4.791-.942 6.684-2.829c1.797-1.752 2.697-3.955 2.697-6.611 0-2.636-.914-4.874-2.74-6.712s-4.04-2.757-6.641-2.757-4.801.923-6.598 2.77zm4.933 5.572c-.287-.628-.715-.942-1.287-.942-1.011 0-1.516.685-1.516 2.054 0 1.37.505 2.055 1.516 2.055.667 0 1.145-.333 1.431-1.002l1.401.751c-.668 1.194-1.67 1.792-3.006 1.792-1.03 0-1.856-.317-2.476-.954-.621-.636-.931-1.512-.931-2.629 0-1.099.32-1.97.959-2.616s1.436-.968 2.39-.968c1.413 0 2.424.56 3.035 1.679l-1.516.78zm6.593 0c-.287-.628-.707-.942-1.261-.942-1.031 0-1.547.685-1.547 2.054 0 1.37.516 2.055 1.547 2.055.669 0 1.137-.333 1.404-1.002l1.433.751c-.667 1.194-1.667 1.792-3.001 1.792-1.029 0-1.853-.317-2.473-.954-.619-.636-.928-1.512-.928-2.629 0-1.099.314-1.97.943-2.616.628-.646 1.428-.968 2.4-.968 1.41 0 2.42.56 3.029 1.679l-1.546.78zM86.353 0H1.647C.739 0 0 .744 0 1.658v28.967c0 .207.167.375.372.375h87.256a.374.374 0 0 0 .372-.375V1.658C88 .744 87.261 0 86.353 0zM1.647.749h84.705c.498 0 .903.408.903.909v20.109H26.714c-2.219 4.038-6.494 6.779-11.401 6.779-4.908 0-9.183-2.738-11.4-6.779H.744V1.658c0-.501.405-.909.903-.909zM67.277 2.5c-2.355 0-4.349.827-5.98 2.481-1.675 1.712-2.512 3.737-2.512 6.077s.837 4.351 2.512 6.034c1.674 1.683 3.668 2.524 5.98 2.524 2.342 0 4.371-.849 6.089-2.546 1.616-1.611 2.427-3.616 2.427-6.012s-.824-4.422-2.471-6.077C71.677 3.327 69.662 2.5 67.277 2.5zm.022 1.54c1.93 0 3.569.685 4.918 2.054 1.361 1.355 2.043 3.01 2.043 4.964 0 1.968-.666 3.602-2.001 4.9-1.405 1.397-3.058 2.096-4.96 2.096-1.901 0-3.541-.691-4.917-2.074-1.376-1.384-2.064-3.024-2.064-4.921s.695-3.552 2.086-4.964c1.332-1.371 2.965-2.055 4.895-2.055zm-3.791 5.809c.34-2.153 1.846-3.304 3.733-3.304 2.716 0 4.369 1.982 4.369 4.626 0 2.58-1.76 4.584-4.411 4.584-1.824 0-3.457-1.13-3.755-3.347h2.143c.063 1.151.806 1.556 1.866 1.556 1.209 0 1.994-1.13 1.994-2.857 0-1.812-.679-2.771-1.951-2.771-.934 0-1.739.341-1.909 1.513l.623-.003-1.687 1.697-1.686-1.697.671.003zm-14.765-.911a.551.551 0 0 0-.55-.553h-3.478a.552.552 0 0 0-.55.553v3.5h.971v4.145h2.636v-4.145h.971v-3.5zM46.455 5.53c.656 0 1.189.536 1.189 1.197s-.533 1.197-1.189 1.197c-.657 0-1.189-.536-1.189-1.197s.532-1.197 1.189-1.197zm-.012-3.03c-2.355 0-4.349.827-5.981 2.481-1.675 1.711-2.512 3.737-2.512 6.076s.837 4.351 2.512 6.034c1.674 1.683 3.668 2.524 5.981 2.524 2.342 0 4.371-.849 6.088-2.547 1.619-1.611 2.428-3.615 2.428-6.012s-.823-4.421-2.47-6.076c-1.645-1.654-3.661-2.48-6.046-2.48zm.022 1.539c1.93 0 3.569.685 4.917 2.054 1.363 1.355 2.044 3.01 2.044 4.963 0 1.968-.666 3.602-2.001 4.9-1.405 1.398-3.058 2.096-4.96 2.096-1.901 0-3.541-.691-4.917-2.075-1.377-1.383-2.065-3.023-2.065-4.921 0-1.896.695-3.551 2.086-4.963 1.334-1.369 2.966-2.054 4.896-2.054z"/><path fill="#FFF" d="m69.277 24.171 1.816 4.888h-1.109l-.367-1.089h-1.816l-.381 1.089h-1.074l1.836-4.888h1.095zm.062 2.997-.612-1.793h-.014l-.633 1.793h1.259zm-6.079.682a.765.765 0 0 0 .234.277c.098.071.211.124.342.158.133.034.268.051.408.051.095 0 .197-.008.306-.023s.21-.047.306-.093a.66.66 0 0 0 .236-.188.472.472 0 0 0 .096-.305.43.43 0 0 0-.126-.321 1.001 1.001 0 0 0-.329-.206 3.269 3.269 0 0 0-.461-.143 13.5 13.5 0 0 1-.523-.138 4.963 4.963 0 0 1-.531-.167 1.798 1.798 0 0 1-.461-.258 1.18 1.18 0 0 1-.33-.393 1.217 1.217 0 0 1-.125-.572c0-.252.053-.469.16-.654.105-.184.246-.338.418-.462.172-.123.366-.214.584-.274.217-.059.436-.088.652-.088.254 0 .497.028.73.086.232.057.44.149.621.277.182.127.326.291.432.49.107.198.16.439.16.723h-1.036a.883.883 0 0 0-.091-.363c-.053-.096-.121-.172-.207-.227s-.184-.094-.295-.115a1.762 1.762 0 0 0-.361-.035c-.086 0-.172.01-.258.027a.694.694 0 0 0-.232.096c-.07.047-.129.104-.174.172s-.067.155-.067.26c0 .096.019.174.054.232.037.061.109.115.215.165s.254.101.441.151l.736.191c.092.018.217.051.377.1.161.047.32.123.479.229.159.105.296.246.412.422.115.176.173.4.173.674 0 .225-.044.432-.13.623a1.345 1.345 0 0 1-.384.496 1.833 1.833 0 0 1-.632.326 2.965 2.965 0 0 1-.874.116c-.268 0-.527-.033-.779-.1a1.952 1.952 0 0 1-.667-.312 1.552 1.552 0 0 1-.459-.543 1.62 1.62 0 0 1-.163-.78h1.036a.888.888 0 0 0 .087.418zm-17.287-3.679h1.198l1.138 1.931 1.13-1.931h1.19l-1.803 3.012v1.876h-1.07v-1.903l-1.783-2.985zm-1.975 0c.231 0 .442.021.633.062s.354.108.491.201a.95.95 0 0 1 .316.373c.075.155.112.348.112.575 0 .247-.055.451-.167.616a1.2 1.2 0 0 1-.493.402c.3.088.523.239.672.456.148.218.223.479.223.784 0 .246-.049.46-.144.641-.095.18-.224.327-.386.441a1.713 1.713 0 0 1-.552.254 2.47 2.47 0 0 1-.638.082h-2.358V24.17h2.291v.001zm-.137 1.976a.774.774 0 0 0 .47-.136c.123-.092.185-.239.185-.444 0-.114-.021-.208-.062-.28s-.095-.129-.164-.17-.146-.07-.235-.086a1.558 1.558 0 0 0-.276-.023h-1v1.14h1.082zm.062 2.075c.105 0 .205-.01.3-.03a.72.72 0 0 0 .252-.104c.073-.047.13-.112.174-.194s.065-.187.065-.315c0-.25-.071-.43-.212-.536-.141-.107-.328-.161-.559-.161h-1.166v1.341h1.146z"/></svg> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we please load this as a regular <img>
? I don't think we really gain much here by in-lining the image, and having inline images makes them hard to search for in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bedrock/settings/__init__.py
Outdated
@@ -270,6 +270,7 @@ | |||
# CSP directive updates we're testing that we hope to move to the enforced policy. | |||
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["frame-ancestors"] = [csp.constants.NONE] | |||
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["style-src"].remove(csp.constants.UNSAFE_INLINE) | |||
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["img-src"].remove("creativecommons.org") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we are pretty safe just to remove creativecommons.org
from _csp_img_src
entirely, as a quick search suggests this is the only image we load from that domain.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
r+ thanks!
I'm going to hold off merging this as we're now in a code freeze for our upcoming company moz-week event. But we'll merge this after Aug 19th.
Ack. Did my best to hotfix it beforehand;) to silence the logs/reports, but given this page is outside of any IA structure it hopefully won't get much pings during the few weeks. |
Yeah this page gets very little (to virtually no) traffic. It's likely content that we will remove/migrate somewhere else in the mid-term future as part of the site refresh. |
Going to merge this (we discussed thing like this are OK to merge, but we won't deploy them) |
One-line summary
CC serves their assets via mirror* subdomain, violating the CSP rule here. Keeping the policy loosened for just this one occurrence doesn't seem to be worth it so this PR stores the SVG badge for CC-BY-SA locally.
Significant changes and points to review
Also removes
creativecommons.org
fromimg-src
CSP.Issue / Bugzilla link
Fixes #14889
Testing
http://localhost:8000/en-US/foundation/licensing/website-content/
(+to see the additional report-only header locally, you have to provide some reporting endpoint in ENV forCSP_REPORT_URI
)