ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/config
History
Clay Diffrient 1da9fffe33 fix CSP enforcement, and show alerts for top level violations 
* send a CSP applying only to frames in the main page
 * send a CSP applying to both frames and scripts with attachments
 * tools only get included in the frame-src directive
 * include the files domain in both for now
 * search for course context on a file through submissions, if possible

Test Plan:
  - Enable CSP feature flag
  - Configure a csp_logging host in dynamic_settings.yml (see example)
  - Have a files domain configured
  - Turn whitelist on
  - Upload html file containing a violation like
    <script src="https://www.google.com/nonexistent.js/"></script>
  - Preview the file
  - The page should load, but your browser console should show that
    the JS was blocked
  - The browser network log should show a violation reported to the
    violation service
  - Embed an iframe in RCE stuff referencing some other site (like
    YouTube)
  - it should get blocked
  - Turn the whitelist off
  - Retry; the JS or iframe should (attempt) to load, but a violation
    should still be reported
  - Repeat all of the above, but this time be a student uploading an
    html file as a submission for an assignment, and then view the
    submission in speedgrader as a teacher/admin

Change-Id: I19823844b3d87fd19e43c17284cf7b987df26e74
Reviewed-on: https://gerrit.instructure.com/182000
Tested-by: Jenkins
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
 		2019-03-20 19:02:49 +00:00
..
environments enforce Bullet in specs 2018-08-10 17:28:44 +00:00
initializers make bulk_insert_objects 2019-03-15 15:54:20 +00:00
locales update nn translation 2019-03-19 05:55:57 -06:00
saml add first class support for the UK Federation 2017-08-08 20:26:52 +00:00
amazon_s3.yml.example aws sdk v2 support for attachments 2017-01-24 21:09:14 +00:00
application.rb configure the connection before checking the version 2018-11-27 20:03:29 +00:00
boot.rb Revert "Speed up boot time with bootsnap" 2017-05-22 23:24:32 +00:00
bounce_notifications.yml.example convert bounce notification processor to aws sdk v2 2016-12-13 19:33:43 +00:00
brakeman.ignore Support NRPS v2 filtering by Assignment `rlid` 2018-10-26 21:40:43 +00:00
brandable_css.yml make feature flags for Right To Left layout 2018-03-21 21:09:38 +00:00
browsers.yml update browsers in browsers.yml - to the safest level 2016-07-15 21:23:33 +00:00
cache_store.yml.example remove redis_store from test env 2017-09-20 15:42:09 +00:00
canvas_cdn.yml.example convert CDN uploader to AWS SDK v2 2016-12-19 23:43:06 +00:00
canvas_rails5.rb drop rails 5.0 2018-03-20 19:50:23 +00:00
cassandra.yml.example improve cassandra documentation 2017-09-29 19:28:08 +00:00
conditional_release.yml.example add functionality to get rules affecting an assignment 2016-10-06 18:51:07 +00:00
consul.yml.example Add dc config to jwk set_keys 2018-08-10 17:44:48 +00:00
copyright-template.js [eslint] have --fix add copyright header for you 2018-02-15 20:01:41 +00:00
cutycapt.yml.example
database.yml.example remove queue from production database.yml.example 2016-01-26 18:07:23 +00:00
database.yml.travis Added .travis.yml 2014-01-15 20:30:11 +00:00
delayed_jobs.yml.example allow enabling inst-jobs health checks 2018-05-11 19:22:32 +00:00
domain.yml.example api: translate absolute paths to full urls with the canvas host 2012-07-02 09:53:59 -06:00
dynamic_settings.yml.example fix CSP enforcement, and show alerts for top level violations 2019-03-20 19:02:49 +00:00
environment.rb da licença part 23 2017-04-27 21:51:35 +00:00
external_migration.yml.example
file_store.yml.example api: translate absolute paths to full urls with the canvas host 2012-07-02 09:53:59 -06:00
incoming_mail.yml.example improve robustness of incoming message processor 2013-04-29 14:47:09 +00:00
jslint.conf make jslint settings more sane 2012-08-17 11:04:40 -06:00
linked_in.yml.example
logging.yml.example allow setting the log level in logging.yml for syslog 2012-09-13 09:55:09 -06:00
marginalia.yml.example record migration name in marginalia comment 2016-03-09 04:00:47 +00:00
memcache.yml.example
notification_failures.yml.example convert notification_failure_processor to aws sdk v2 2016-12-16 18:47:48 +00:00
notification_service.yml.example convert notification service to AWS SDK v2 2016-10-31 17:44:57 +00:00
offline_web.yml.sample add canvas_offline_course_viewer to export package 2017-01-23 20:25:08 +00:00
outgoing_mail.yml.example add multiple reply-to support to outgoing mail. 2013-02-22 14:02:27 -07:00
periodic_jobs.yml.example
puma.rb Add copyright message to remaining .rb files 2018-03-19 13:38:50 +00:00
raven.yml.example get sentry into canvas 2015-04-13 22:26:15 +00:00
redis.yml.example move redis logging config to redis.yml 2018-08-29 17:03:51 +00:00
routes.rb Expose Rubric Assessment API endpoints CUD 2019-03-05 17:34:42 +00:00
saml.yml.example support multiple SAML private keys for decryption 2013-03-15 14:31:57 -06:00
security.yml.example Add client_credentials grant_type 2018-09-10 17:07:05 +00:00
selenium.yml.example docs: add auto_open_devtools to docker 2018-10-17 18:13:17 +00:00
session_store.yml.example update the example session_store.yml 2014-01-21 02:15:18 +00:00
statsd.yml.example optionally don't append hostname to statsd keys 2013-04-04 19:14:49 +00:00
styleguide.yml force add config files that didn't make it 2013-04-10 18:50:05 +00:00
testrail.yml.example adding tests, plus testrail reporting 2014-07-31 16:32:16 +00:00
twilio.yml.example Send messages via Twilio 2015-09-14 15:46:23 +00:00
twitter.yml.example