These are chat archives for assetgraph/assetgraph

5th
Oct 2016
Andreas Lind
@papandreou
Oct 05 2016 12:00
@Munter I'm done with everything I wanted to include in ag 3 / ag-b 5 feature-wise now. Maybe we should do some changelog and doc updates?
Peter Müller
@Munter
Oct 05 2016 13:00
We should. Feature wise I just want the canonical resolving in
Andreas Lind
@papandreou
Oct 05 2016 13:28
@Munter Okay, great! Getting close :)
Peter Müller
@Munter
Oct 05 2016 18:58
I got pretty far away from that canonical href resolving PR. Trying to get my head around it again
What hrefType should a canonical relation be? absolute ?
Andreas Lind
@papandreou
Oct 05 2016 19:12
Yeah, or protocolRelative
Peter Müller
@Munter
Oct 05 2016 19:13
I'm trying out a Relation.canonical getter/setter pair
I need to be able to store the intent of keeping the href canonical across asset url changes
I think I have a better match than substring going when parsing. But when changing from non-canonical to canonical I can't do better than using the canonicalRoot verbatim
Andreas Lind
@papandreou
Oct 05 2016 20:21
Awesome :)
It's safe to say that we're ready to look at CSP like that :)
Peter Müller
@Munter
Oct 05 2016 20:23
Heck, we could even supply assetgraph as a prototyping tool for them :P
Andreas Lind
@papandreou
Oct 05 2016 20:23
Might make sense to make a standalone tool like you did with contentsecure
Andreas Lind
@papandreou
Oct 05 2016 20:57
[assetgraph-builder]$ ./bin/contentSecure https://mntr.dk/0.002 secs: logEvents
 ✔ 0.482 secs: loadAssets
 ✔ 0.004 secs:0.823 secs: populate
 ✔ 0.005 secs: reviewContentSecurityPolicy
https://mntr.dk/
Content-Security-Policy: img-src 'self'; style-src 'self'; script-src 'sha256-6dyrJuu8fEr+yU+qWB8eYmv8860bNPnxx4QOnHSztLA=' 'sha256-FTRM88wZLKbkH3sMCpAOyk/waNSeXVhdZV2RkzgLy3g=' 'sha256-LJOONddNtIMPVfcLsFATXyL4P23f3znxXz4FxYemkxI='0.001 secs:
Andreas Lind
@papandreou
Oct 05 2016 21:18
[assetgraph-builder]$ ./bin/contentSecure --ignoreexisting http://charcod.es/
http://charcod.es/
Content-Security-Policy: manifest-src http://charcod.es/index.appcache; img-src charcod.es data:; style-src 'sha256-X7RlTkYjwsLiK9cCACElel15Ph1IxYAVa/QLLsDNMaQ=' http://charcod.es/static/app-bundle.cd8a828510.css
Andreas Lind
@papandreou
Oct 05 2016 21:35
[assetgraph-builder]$ ./bin/contentSecure http://politiken.dk/
Content-Security-Policy: script-src 'sha256-/n1QhS6LEP1q15M4Repng0Ci+3qiSMujXN0cGQr0L3E=' 'sha256-/rM/hjpi56tdh+hg6asNkWzUMDfsDZTeRAz3fcdfj9A=' 'sha256-05tVoPXjj5iRt8yKFYMyxcJaztwx2mUA5y2XoWf8LgE=' 'sha256-111UvQA+uCWkANh5L0mVrPwevX9ZqZemtTguUQOUIbs=' 'sha256-5jnSvw70nBbknaGghsxhFi3EaVkbfzGeV2hJWlHRp3k=' 'sha256-Cbq4xkiPsKj1vAjczPxQT6u6tlK3/EmQvcLKVnFkvTE=' 'sha256-DomNv9GZyr/1EBE/s+3+jfNzmr8y3cDABinhqal6fzg=' 'sha256-FW8xKW2tNr2Jth4KOA1N6GynRxrHbL30xkz1x8vP7Nc=' 'sha256-FfgrY3O3oDGS9F3X6gy41qClajvwxlRZa3nIVL+q1Ew=' 'sha256-Gfm3OxV1vWU26iSuFgrZEqwizqQvJGdfKGBhTAZS5K0=' 'sha256-H49t7ia/ipwvaa2/EtVx7FuOIo6T6t4HUE58cdgnG0E=' 'sha256-HsuEckiheqgaxvwQoUJ1uAxEwixmq8JpdCr4BDc8dTE=' 'sha256-J6NdFo6Ak9XKNuXthVFxRzbO6ZoDcdI9niewwVqa/QU=' 'sha256-NQxA4ePk8/czYb8SlUXiasOEQl4n9FfnodnBhGrDd54=' 'sha256-Pk6MJ+0J7Py/COgDdYvlwF/qErYb0dlL8sbuQpKPOOs=' 'sha256-Q1QskmbY0DAOoTKcNjHbJL/FNpPsQSZDC+ob7qegYIw=' 'sha256-QiDZync0xEXs+SIwh2TaPL/+3zwH+EZjsKEo/s++QCQ=' 'sha256-SYoUAZ0VuCPvQwSZdKh7DGHmx7C7Fe0GhR9DS0CnZ0s=' 'sha256-U0GzGUULHHlYKir898W/EcuALZ21ELRYhE1FFzlG7fE=' 'sha256-XBL8BQh1MwXfxZpd8CEBqH6LLBZiFdqqQcqDkXevVrY=' 'sha256-XnRyEYCg6iyFzP3DAiEfwhk/lcD0e5sBK5E2H9r9YIg=' 'sha256-cP0UWq8tePgOqygjEQMJhZekJDImMRLcA9/YoEaE1l4=' 'sha256-e3+tjg6S266kMl5sODBe4lBUAyqeW8Lgpf7stTCApeE=' 'sha256-fuSlnaevBaSrmiaqnTIi8DgijpWPh/w4fOnaQmOz9uM=' 'sha256-gOXYdmwrlF/TDuSqCiSm7dOxYCKL9LRS6+svm7HRbEQ=' 'sha256-gSUS3Ho1YoB5B5x7woV7Wr2QF1Nud3QOzLlvGcr6Yvw=' 'sha256-jzuG+srkxw7UuB5zZw6B56HsaQ4KWIYDkzJzXZpd/Ik=' 'sha256-o+foY6XNCTCB0cSx5lCa1wnRQBOkcMk35aqfcsR+rTI=' 'sha256-q1uk+dMLdlEZmtwyvMHrUqbq1GFL6FM3TWMwqgCrYx0=' 'sha256-udO7p/S3YrFCaAXeF+HTsuYAYG4yS4ByxI8ISbK/gGk=' 'sha256-v1trznOVCSS7dj3YrdbRy/IGj2aBFfZ62/RVXfIqKEw=' 'sha256-w3vUn+RnSOA4sDiCqj0cYMZctirosJcQYl8Duhk/HyE=' 'sha256-w49U5HpSUG9r6HRJ2WUqiOQqBxTuw7FuC5EYudyUOdA=' 'sha256-xW0VHR51W3rjJ6byDhnrimRkfgV2q8V2eDhhybCpNRM=' 'sha256-zhsghPKt3cG+Y70TI6Q75zbqDTfUxgs+JXYluZAwYec=' http://politiken.dk/ad-server.js http://politiken.dk/static/bundles/js/desktop?v=201609291052; img-src data: politiken.dk; style-src http://politiken.dk/static/Content/css/desktop/box.css?v=201609291052 http://politiken.dk/static/Content/css/desktop/structure.css?v=201609291052 http://politiken.dk/static/bundles/css/desktop?v=201609291052 http://politiken.dk/static/bundles/css/stylesdesktop?v=201609291052; font-src politiken.dk
Peter Müller
@Munter
Oct 05 2016 21:37
I wish we had a good security researcher as a close contact. Really want to know if what we generate will close the xss holes that most CSP implementing sites apparently still have
npm link against assetgraph master
We're following their recommendations pretty closely, although with ag-b there's that manual step involved where you put in your baseline CSP as a meta tag.
We don't support 'strict-dynamic' yet, though. CSP3 is still WIP.
We do support it in the sense that we won't touch it if you have it in your existing CSP, but I haven't analyzed whether reviewContentSecurityPolicy should take its existence into account.