bug with processing CSP
mrl5 opened this issue · 4 comments
hello,
I think there is some bug for https://observatory.mozilla.org/analyze/app.windmill.dev
In the report there is:
Content Security Policy | -25 | Content Security Policy (CSP) header cannot be parsed successfully |
---|
I'm reporting a bug because
(CSP) header cannot be parsed successfully
where the CSP header is just fine and can be parsed by e.g.:
- Firefox 106.0.5 (64-bit)
- Chrome 107.0.5304.87 (Official Build) (64-bit)
- https://csp-evaluator.withgoogle.com/?csp=https://app.windmill.dev
- https://securityheaders.com/?followRedirects=on&hide=on&q=app.windmill.dev
This is the current header:
content-security-policy | frame-ancestors 'none'; frame-src 'none'; worker-src 'self'; child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline'; |
---|
@mrl5 When I fetch your site it doesn't appear that CloudFlare serves a CSP header
curl -i https://app.windmill.dev/
HTTP/2 200
date: Mon, 07 Nov 2022 14:30:25 GMT
content-type: text/html
cache-control: no-cache, no-store, must-revalidate
x-frame-options: DENY
x-content-type-options: nosniff
cf-cache-status: DYNAMIC
server-timing: cf-q-config;dur=6.9999950937927e-06
server: cloudflare
cf-ray: 7666c4476b410885-SEA
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
<!DOCTYPE html>
<html lang="en">
...
hello @gene1wood, thanks for reaching out
indeed now the content-security-policy
header is disabled again when you enter https://app.windmill.dev/ but at a time when I was reporting this issue it was there and I actually provided it in the first post, let me re-paste it:
frame-ancestors 'none'; frame-src 'none'; worker-src 'self'; child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline';
let me know if this is enough for you to check what might be the issue or you actually need content-security-policy
to be present again when doing request to https://app.windmill.dev/
If/when the CSP header is live again and the observatory can see it, feel free to update here and I may be able to take a look.
ok, let me then close it now and reopen once we've enable it again
thanks for your time