mozilla/http-observatory-website

bug with processing CSP

mrl5 opened this issue · 4 comments

mrl5 commented

hello,

I think there is some bug for https://observatory.mozilla.org/analyze/app.windmill.dev

In the report there is:

Content Security Policy   -25 Content Security Policy (CSP) header cannot be parsed successfully

I'm reporting a bug because

(CSP) header cannot be parsed successfully

where the CSP header is just fine and can be parsed by e.g.:

This is the current header:

content-security-policy frame-ancestors 'none'; frame-src 'none'; worker-src 'self'; child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline';
gene1wood commented

@mrl5 When I fetch your site it doesn't appear that CloudFlare serves a CSP header

curl -i https://app.windmill.dev/
HTTP/2 200 
date: Mon, 07 Nov 2022 14:30:25 GMT
content-type: text/html
cache-control: no-cache, no-store, must-revalidate
x-frame-options: DENY
x-content-type-options: nosniff
cf-cache-status: DYNAMIC
server-timing: cf-q-config;dur=6.9999950937927e-06
server: cloudflare
cf-ray: 7666c4476b410885-SEA
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

<!DOCTYPE html>
<html lang="en">
...
mrl5 commented

hello @gene1wood, thanks for reaching out

indeed now the content-security-policy header is disabled again when you enter https://app.windmill.dev/ but at a time when I was reporting this issue it was there and I actually provided it in the first post, let me re-paste it:

frame-ancestors 'none'; frame-src 'none'; worker-src 'self'; child-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline';

let me know if this is enough for you to check what might be the issue or you actually need content-security-policy to be present again when doing request to https://app.windmill.dev/

gene1wood commented

If/when the CSP header is live again and the observatory can see it, feel free to update here and I may be able to take a look.

  • 👍1
mrl5 commented

ok, let me then close it now and reopen once we've enable it again

thanks for your time