Expose methods to disable content security policy or loosen it for embedded iframes by justinvelluppillai · Pull Request #17910 · matomo-org/matomo · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose methods to disable content security policy or loosen it for embedded iframes #17910

Merged
merged 7 commits into from
Sep 2, 2021

Conversation

justinvelluppillai
Copy link
Contributor

Description:

See dev-2271, this PR provides methods for SessionRecording to be able to embed a page in an iframe.

Review

@justinvelluppillai justinvelluppillai added the Needs Review PRs that need a code review label Aug 21, 2021
@justinvelluppillai justinvelluppillai added this to the 4.5.0 milestone Aug 21, 2021
@sgiehl
Copy link
Member

sgiehl commented Aug 25, 2021

@justinvelluppillai might be unrelated to this issue, but could you check if opening a row evolution shows csp warnings for you?
I'm seeing this for the sparklines:

[Report Only] Refused to load the image 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAAAyCAYAAAAZUZThAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAEdklEQVR4nO3dMWwbZRjG8f+1FUhUCkaCQwJEg6oOrY7GGwMSsYVYbmiDUMxGgpgQQxqJbBWnk7JlSBo2liRdIsVLFswYu0wMiFB5AHVJKySqEwJjqaxmuAtcHMe+JOc7n+/5bc298X2p/Nx3733nM4jIiYy0ByCwtHe3CLhACZgAHgCrK+Xl3TTHJQpI6pb27s4DGydsvr9SXp5LcDjSRQFJUTBz/DSgbHGlvLyWxHjkuAtpDyDn3JhqZEgupT2AnCtFqJn4YOmz+Z+/+/1gQN2+16y1zj0iOUIBSddElKI/f/tnERj05i+alj3o9drAfoRd7kfY3189XqvlNWtRXj8zFJB0PQDeG1T04/b2VBw7My27ABQjlBaBlwbUvAV82PWzgmnZLcDxmrX66Uc4ehSQdK0yO...vTaRDhkUt6aENI0G808E+pFI7xNjAcoOdi/SfUb0yp38iFNhGebJn7gHStb0xrfSM36sCtATXtXJ9ihZ9P5TVrcwpHrjhRanIbEPUb+VatGPvAp31K7lcrxlour2JpfUMOBSvox77+rloxdiFnK+m6n0rkBKZlF03L/tu07Dtpj0WyY2xmkI7juPifWb4JPMG/SrFguG5L91PJWWU+IB3HOTxtutljc7vy/a/1hteeRP2GnME4XMXaonc4ACa+eedq6cvrrykcciaZDkjHcYoMWOwpPHdpYunG6zMJDUnGTM+VdNOyM/HVw9XHfxRnr7wcpbQMaK1DTi3TM8jzFy8UIpZGrRM5oucM4jVrUZbhU3frI6cE7EUorQ93JDKuMj2DGK5bx//kVz9tYGP4o5FxlOmABOY4/gWYYQuG6x4kNBYZM5kPiOG6+8AU/j00YU+AsuG6m4kPSsZG5hcKw4JFwyJwoFlD4vAvjOS9V2w4O8EAAAAASUVORK5CYII=' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

@justinvelluppillai
Copy link
Contributor Author

@sgiehl yes this is relevant to this issue - @tsteur this means we need the data: policy most places so I will add it also to the default-src directive for all matomo pages.

@github-actions
Copy link
Contributor

github-actions bot commented Sep 2, 2021

This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers

@github-actions github-actions bot added the Stale The label used by the Close Stale Issues action label Sep 2, 2021
@tsteur tsteur merged commit 33db50c into 4.x-dev Sep 2, 2021
@tsteur tsteur deleted the dev-2271-csp-allow-iframe-embed branch September 2, 2021 04:43
tsteur added a commit that referenced this pull request Sep 2, 2021
tsteur added a commit that referenced this pull request Sep 2, 2021
@justinvelluppillai justinvelluppillai restored the dev-2271-csp-allow-iframe-embed branch September 2, 2021 22:45
@justinvelluppillai justinvelluppillai changed the title Expose methods to disable CSP or loosen it for embedded iframes Expose methods to disable content security policy or loosen it for embedded iframes Oct 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Needs Review PRs that need a code review Stale The label used by the Close Stale Issues action
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants