Skip to content

Making syscall/js CSP compatible #1168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 25, 2022
Merged

Making syscall/js CSP compatible #1168

merged 5 commits into from
Oct 25, 2022

Conversation

matthewbelisle-wf
Copy link
Contributor

@matthewbelisle-wf matthewbelisle-wf commented Oct 24, 2022
edited
Loading

Making the syscall/js package compatible with a CSP that does not allow script-src 'unsafe-eval'. See this thread for background.

cc @nevkontakte can you merge this if you think it's good? I tested a CSP manually and it worked, put some snippets below.

@matthewbelisle-wf matthewbelisle-wf mentioned this pull request Oct 24, 2022
Merged
@matthewbelisle-wf
Copy link
Contributor Author

Tested locally with a simple client and server that does CSP.

// client.go
package main

import (
	_ "syscall/js"

	"github.com/gopherjs/gopherjs/js"
)

func main() {
	js.Global.Get("document").Call("write", "Hello world!")
}

// server.go
package main

import (
	"net/http"
)

func main() {
	fs := http.FileServer(http.Dir("."))
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Content-Security-Policy", "script-src 'self'")
		fs.ServeHTTP(w, r)
	})
	http.ListenAndServe(":8080", nil)
}

Throws an error like I expect on older versions of gopherjs.

Screen Shot 2022-10-24 at 4 31 13 PM

No error with these updates.

Screen Shot 2022-10-24 at 4 31 43 PM

nevkontakte
nevkontakte reviewed Oct 24, 2022
View reviewed changes
@nevkontakte
Copy link
Member

CI tests don't test for CSP compliance (obviously 🙃), but they do run the standard syscall/js package tests, so if should inform us if anything is wrong. Overall your change is good, plus or minus the nitpick I left.

@matthewbelisle-wf
Copy link
Contributor Author

Have to log off for the evening and then I'm out of the office tomorrow, but will debug the failures Wednesday morning CDT.

matthewbelisle-wf
matthewbelisle-wf commented Oct 25, 2022
View reviewed changes
@matthewbelisle-wf
Copy link
Contributor Author

Tested CSP locally again, looks good.

Screen Shot 2022-10-24 at 10 28 56 PM

@nevkontakte nevkontakte merged commit dd702cc into gopherjs:master Oct 25, 2022
@nevkontakte
Copy link
Member

Thank you for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nevkontakte nevkontakte nevkontakte approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matthewbelisle-wf @nevkontakte