Replies: 1 comment 1 reply
-
These are generally worth doing. The https redirect thing is broken for me since eternity; from https://github.com/EmaApps/emanote/settings/pages: |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Currently the CSP for emanote is approximately (visiting one page with Laboratory)
I would like to see this as recommended by most security folks.
But due to a Firefox bug with SVG sprites (
<symbol>
+<use>
), this is an acceptable alternative for nowMotivation: a lot of folks forget this big security win for their content and by recommending a good, strong list, you can steer users into making good security decisions. You can also help folks get better security scores at places like Mozilla Observatory.
This change would affect this project too—ultimately in a positive direction in my opinion, especially when we look at how less-than-stellar Emanote’s score is:
F (https://observatory.mozilla.org/analyze/emanote.srid.ca).
By removing the CDN usage, users will not need to leak data to third-parties. Currenty said scripts aren’t even using subresource integrity to help mitigate a corrupt/compromised CDN pushing out bad content. Since the only usage is for highlight.js, this can be a catalyst to do all syntax highlighting server side. Server side rendering would remove any need for any CDN trust, but it’s also a massive performance win for downstream users—all of which are downloading these scripts and parsing the same source code lines on their device wasting bandwidth, energy, render speed—when the build process can do it once for everyone. If something is used for LaTex/MathJax, same logic for server-side rendering should apply. As a worst case, at least with
self
, the CSP would encourage folks into self-hosting their libraries for the benefit of their reader.Unsafe-inline is removed too, which should provoke the project to bundle up its scripts/styles/images into separate files for caching.
Beta Was this translation helpful? Give feedback.
All reactions