Clojurians Log v2

Clojure programming

Channels

# 100-days-of-code # aatree # admin-announcements # adventofcode # ai # alda # aleph # all-the-channels # announcements # arachne # architecture # asami # atlanta-clojurians # atom-editor # autochrome-github # avi # aws # aws-lambda # babashka # babashka-sci-dev # bangalore-clj # beginners # berlin # biff # bigdata # bitcoin # boot # boot-dev # boulder-clojurians # braid-chat # braveandtrue # brevis # bristol-clojurians # business # calva # capetown # carry # cbus # cestmeetup # chestnut # chlorine-clover # cider # circleci # clara # clj-commons # cljdoc # cljfx # clj-http # clj-kondo # clj-on-windows # cljs-dev # cljs-experience # cljsfiddle # cljsjs # cljsrn # cljtogether # clojars # clojure # clojure-android # clojure-argentina # clojure-art # clojure-austin # clojure-australia # clojure-austria # clojure-bangladesh # clojure-bay-area # clojure-beijing # clojure-belgium # clojure-berlin # clojure-boston # clojure-brasil # clojurebridge # clojurebridge-ams # clojure-canada # clojure-chennai # clojure-chicago # clojure-china # clojure-colombia # clojure-conj # clojurecup # clojure-czech # clojured # clojure-denmark # clojure-denver # clojure-derby # clojuredesign-podcast # clojure-dev # clojure-dusseldorf # clojure-ecuador # clojure-egypt # clojure-estonia # clojure-europe # clojure-filipino # clojure-finland # clojure-france # clojure-gamedev # clojure-germany # clojure-greece # clojure-guangzhou # clojure-hamburg # clojure-hk # clojure-houston # clojure-hungary # clojure-india # clojureindia # clojure-indonesia # clojure-ireland # clojure-israel # clojure-italy # clojure-japan # clojure-kc # clojure-korea # clojure-losangeles # clojure-madison # clojure-mexico # clojure-miami # clojure-mk # clojure-mke # clojure-morsels # clojure-my # clojure-new-zealand # clojure-nl # clojure-nlp # clojure-norway # clojure-poland # clojure-portugal # clojure-provo # clojure-quebec # clojureremote # clojure-romania # clojure-russia # clojure-sanfrancisco # clojurescript # clojurescript-ios # clojure-sdn # clojure-seattle # clojure-serbia # clojure-sg # clojure-shanghai # clojure-spain # clojure-spec # clojuresque # clojure-survey # clojure-sweden # clojure-switzerland # clojure-taiwan # clojure-turkiye # clojure-uk # clojure-ukraine # clojureverse-ops # clojurewerkz # clojurewest # clojurex # clojure-za # clojurian-chat-app # clojutre # cloverage # cloxp # clr # code-art # code-reviews # community-development # component # conf-proposals # conjure # consulting # contributions-welcome # copenhagen-clojurians # core-async # core-logic # core-matrix # core-typed # cryogen # crypto # css # cursive # cz-clojure # d2q # datacrypt # datahike # datalevin # datalog # data-oriented-programming # data-science # datascript # datavis # dato # datomic # defnpodcast # deps-new # depstar # devcards # devops # dirac # docker # docs # domino-clj # duct # dunaj # eastwood # editors # emacs # error-message-catalog # etaoin # ethereum # euroclojure # events # exercism # expound # figwheel # figwheel-main # flambo # fulcro # funcool # functionalprogramming # funimage # garden # ghostwheel # girouette # gis # google-cloud # gorilla # graalvm # graalvm-mobile # graclj # graphql # gratitude # gsoc # hammock-driven-dev # helix # heroku # hispano # holy-lambda # honeysql # hoplon # hugsql # humor # hypercrud # hyperfiddle # immutant # improve-getting-started # incanter # indycljs # inf-clojure # instaparse # integrant # interceptors # interop # introduce-yourself # iot # iotivity # ipfs # jackdaw # jaunt # java # javascript # javelin # jobs # jobs-discuss # jobs-rus # joker # jukebox # juxt # jvm # kaocha # keechma # kekkonen # keyboards # klipse # kosmos # lambdaisland # ldnclj # ldnproclodo # lein-figwheel # leiningen # liberator # liquid # livestream # local-first-clojure # london-clojurians # lsp # luminus # lumo # mail # malli # mathematics # meander # melbourne # membrane # mental-health # microservices # mid-cities-meetup # midje # minecraft # minimallist # missionary # monads # mount # music # new-channels # new-clojure # nextjournal # nginx # nrepl # numerical-computing # nyc # observability # off-topic # om # om-next # onyx # other-languages # other-lisps # overtone # pamela # parinfer # pathom # pedestal # perun # philosophy # phzr # planck # plastic # play-clj # podcasts # polylith # portal # portkey # portland-or # powderkeg # practicalli # precept # prelude # programming-beginners # project-updates # proletarian # proton # protorepl # pulsar # pure-frame # qa # qlkit # quil # random # rdf # react # reactive # reading-clojure # reagent # reclojure # re-frame # reitit # releases # remote-jobs # respo # rethinkdb # reveal # rewrite-clj # ring # ring-swagger # robots # rum # schema # sci # sfcljs # shadow-cljs # _silence # sim-testing # sioux-falls # slack-help # sneer # sneer-br # spacemacs # specmonstah # specter # speculative # spirituality-ethics # sql # startup-in-a-month # sydney # test200 # test-check # testing # thejaloniki # timbre # tmp-json-parsing # tools-build # tools-deps # trading # tree-sitter # uncomplicate # unrepl # untangled # utah-clojurians # videos # vim # vrac # vscode # wasm # web-security # windows # xtdb # yada # yleinen

Apps

yada

borkdude 2020-03-27T12:16:41.012Z

we're running into a problem with websockets and Content-Security-Policy when deploying our yada app to a staging environment:

sse.cljs:52 Refused to connect to '<wss://searchdev.doctorevidence.com/api/sse/ws>' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

We don't send this header in nginx. Is yada sending a default for this?

borkdude 2020-03-27T12:17:29.012800Z

I do see a couple of issues around this: https://github.com/juxt/yada/issues/61

dominicm 2020-03-27T12:17:30.013Z

Yes.

dominicm 2020-03-27T12:17:36.013500Z

You can change the CSP per-resource.

borkdude 2020-03-27T12:21:58.013900Z

alright!

borkdude 2020-03-27T13:38:31.014400Z

@dominicm I now have this:

(resource
   system
   {:swagger/tags ["app"]
    :id :dre.resources/sse
    :content-security-policy "default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'"
    :methods
    {:get
     {:consumes "application/json"
      :produces "application/json"
      :response
      (fn [ctx]
        (let [req (:request ctx)
              conn (http/websocket-connection req)
              user-id (auth/user-id (user-profile ctx))
              sse (:dre.app.sse/sse system)
              chan (sse/new-chan-for-user! sse user-id)
              _ (-&gt; conn (d/chain
                          (fn [socket]
                            (s/connect chan socket)))
                    (d/catch (fn [e]
                               (error e))))]
          (sse/send-message-to-user sse user-id :sse/ack)
          nil))}}})

but we're still getting something else back in the browser 😕

borkdude 2020-03-27T13:38:59.014600Z

something else than: :content-security-policy "default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'"

dominicm 2020-03-27T13:50:54.014900Z

I thought it went inside a map

dominicm 2020-03-27T13:51:44.015200Z

https://juxt.pro/yada/manual/index.html#cross-origin-resource-sharing-cors access control

borkdude 2020-03-27T14:00:13.015600Z

a map?

borkdude 2020-03-27T14:00:45.016200Z

we used to have it on the top level of our yada resources like months or years ago:

:produces formats
         :consumes formats
         :content-security-policy content-security-policy

borkdude 2020-03-27T14:04:47.016500Z

that seems to be the correct place: https://github.com/juxt/yada/blob/e92f35d1be6b8fabee65e280efebf71fae9c9b1b/src/yada/schema.clj#L518

dominicm 2020-03-27T14:08:05.017Z

Hmm. Yes.

borkdude 2020-03-27T14:43:45.018Z

hmm, adding :content-security-policy "default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'" on ALL resources works, but not when I only add it to the resource which produces the websocket:

(defn new-websocket-resource
  [system]
  (resource
   system
   {:swagger/tags ["app"]
    :id :dre.resources/sse
    :content-security-policy "default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'"
    :methods
    {:get
     {:consumes "application/json"
      :produces "application/json"
      :response
      (fn [ctx]
        (let [req (:request ctx)
              conn (http/websocket-connection req)
              user-id (auth/user-id (user-profile ctx))
              sse (:dre.app.sse/sse system)
              chan (sse/new-chan-for-user! sse user-id)
              _ (-&gt; conn (d/chain
                          (fn [socket]
                            (s/connect chan socket)))
                    (d/catch (fn [e]
                               (error e))))]
          (sse/send-message-to-user sse user-id :sse/ack)
          {}))}}}))

borkdude 2020-03-27T14:51:04.018200Z

so what's up with that?

dominicm 2020-03-27T14:54:21.018600Z

No idea 😹

dominicm 2020-03-27T14:54:38.019200Z

Don't you need to adjust the csp elsewhere anyway?

dominicm 2020-03-27T14:54:54.019800Z

You need to set the csp for your html pages to allow websockets.

dominicm 2020-03-27T14:55:01.020100Z

Not on the websocket resource

borkdude 2020-03-27T14:55:05.020300Z

oh I see

borkdude 2020-03-27T14:55:13.020500Z

well, then it's fine I guess

dominicm 2020-03-27T14:55:25.020800Z

Yeah.

borkdude 2020-03-27T14:55:29.021Z

I really don't care as long as this works

dominicm 2020-03-27T14:55:42.021500Z

I'm not sure websockets supports headers, it isn't http

borkdude 2020-03-27T14:56:19.021700Z

thanks for the help!