This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2020-03-27
Channels
- # announcements (2)
- # aws (31)
- # babashka (81)
- # beginners (82)
- # calva (38)
- # clj-kondo (41)
- # cljdoc (4)
- # cljs-dev (6)
- # clojure (101)
- # clojure-belgium (1)
- # clojure-europe (30)
- # clojure-germany (1)
- # clojure-italy (7)
- # clojure-nl (4)
- # clojure-norway (1)
- # clojure-spec (1)
- # clojure-uk (19)
- # clojurescript (16)
- # clojutre (1)
- # community-development (26)
- # core-logic (2)
- # data-science (26)
- # datomic (71)
- # events (3)
- # fulcro (55)
- # graalvm (2)
- # graphql (3)
- # joker (2)
- # kaocha (19)
- # luminus (2)
- # malli (6)
- # meander (3)
- # off-topic (6)
- # pathom (34)
- # random (1)
- # re-frame (2)
- # robots (1)
- # shadow-cljs (37)
- # sql (30)
- # tools-deps (21)
- # xtdb (4)
- # yada (25)
we're running into a problem with websockets and Content-Security-Policy
when deploying our yada app to a staging environment:
sse.cljs:52 Refused to connect to '' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
We don't send this header in nginx. Is yada sending a default for this?I do see a couple of issues around this: https://github.com/juxt/yada/issues/61
@dominicm I now have this:
(resource
system
{:swagger/tags ["app"]
:id :dre.resources/sse
:content-security-policy "default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'"
:methods
{:get
{:consumes "application/json"
:produces "application/json"
:response
(fn [ctx]
(let [req (:request ctx)
conn (http/websocket-connection req)
user-id (auth/user-id (user-profile ctx))
sse (:dre.app.sse/sse system)
chan (sse/new-chan-for-user! sse user-id)
_ (-> conn (d/chain
(fn [socket]
(s/connect chan socket)))
(d/catch (fn [e]
(error e))))]
(sse/send-message-to-user sse user-id :sse/ack)
nil))}}})
but we're still getting something else back in the browser 😕something else than: :content-security-policy "default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'"
https://juxt.pro/yada/manual/index.html#cross-origin-resource-sharing-cors access control
we used to have it on the top level of our yada resources like months or years ago:
:produces formats
:consumes formats
:content-security-policy content-security-policy
that seems to be the correct place: https://github.com/juxt/yada/blob/e92f35d1be6b8fabee65e280efebf71fae9c9b1b/src/yada/schema.clj#L518
hmm, adding :content-security-policy "default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'"
on ALL resources works, but not when I only add it to the resource which produces the websocket:
(defn new-websocket-resource
[system]
(resource
system
{:swagger/tags ["app"]
:id :dre.resources/sse
:content-security-policy "default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'"
:methods
{:get
{:consumes "application/json"
:produces "application/json"
:response
(fn [ctx]
(let [req (:request ctx)
conn (http/websocket-connection req)
user-id (auth/user-id (user-profile ctx))
sse (:dre.app.sse/sse system)
chan (sse/new-chan-for-user! sse user-id)
_ (-> conn (d/chain
(fn [socket]
(s/connect chan socket)))
(d/catch (fn [e]
(error e))))]
(sse/send-message-to-user sse user-id :sse/ack)
{}))}}}))