Fork me on GitHub
#pedestal
<
2017-10-27
>
thosmos23:10:56

I'm having some trouble with CSP errors in running lacinia-pedestal in a generic pedestal 0.5.3 service. I've attempted to add a CSP policy like ::http/secure-headers {:content-security-policy-settings {:script-src "*"}} into the service config, but I'm still getting errors about the policy being too restrictive: Refused to load the script '' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled. Any suggestions?

thosmos23:10:30

I figured it out: I was using lacinia-pedestal's provided pedestal-service function to generate the service map which already ran ::http/create-server on it using the default pedestal CSP, and apparently, the service config needs to be altered before that step even though the output of that is still just a map...

hlship17:10:30

In retrospect, it shouldn't do the http/create-server call. What do you think about adding an option (to lacinia-pedestal) to turn that off?

hlship17:10:43

Alternately ... we're still alpha, an incompatible change would be to just drop the http/create-server step entirely, leave that the caller's responsibility.