Sidekiq: Monitoring : no css/js/images because of violation of Content Security Policy directives

Sounds like your top-level website is setting some CSP rules that the Sidekiq Web UI does not follow, maybe? I don't know much about CSP.

Ah, sounds like this might be a CSP Rack middleware you've configured for your app, which is breaking Sidekiq? If so it's an app problem - PRs welcome if there's some way to make Sidekiq CSP-friendlier.

If you're tracking Sinatra from github (which, AFAIK, you have to do if you're running on Rails 5 right now), then Sinatra now adds CSP by default (see https://github.com/sinatra/sinatra/commit/7f013c91607cc867806b29b316f576e2bc6be75c).

Gross hacky workaround for now -

# in config/application.rb
require 'sidekiq/web'

# We need to delete the existing, now mis-configured Rack::Protection middleware
Sidekiq::Web.instance_variable_get(:@middleware).delete_if { |klass,_,_| klass == Rack::Protection }
Sidekiq::Web.set :protection, except: :content_security_policy

# draw your routes and mount as usual ...

@mperham - PR incoming as soon as I figure out CSPs enough to recommend a good default that works.

Well that commit ^ should work as soon as the upstream bug in Rack::Protection gets merged.

Question though: I'm assuming that supporting back to Rails 3.2 means you'll have to transitively support Rack and Sinatra 1 ... I'm not really sure how to handle falling back gracefully here. Do we need an explicit check for Sinatra version?

@jamesdabbs This would imply that Sinatra 2 is breaking old apps with this new CSP stuff. I thought it was opt-in. Can you confirm this is the case?

Yeah, I'm getting CSP errors from sinatra/sinatra@d4b8cc5 and sinatra/rack-protection@bce9100. Rails 5 requires an unreleased Sinatra b/c of the rack/showexceptions load error, and Sinatra master now depends on the unreleased rack-protect, so I think most Rails 5 users are going to run into this.

That said, it's entirely possible this is an unintended regression, and that the defaults in https://github.com/sinatra/sinatra/blob/master/lib/sinatra/base.rb#L1691 (/ https://github.com/sinatra/sinatra/blob/master/lib/sinatra/base.rb#L1779) just need to be updated.

So this is fixed in master? When can we expect a release for this?

@sublimecoder
You can fix it by the following code.

# @jamesdabbs supported
# We need to delete the existing, now mis-configured Rack::Protection middleware
Sidekiq::Web.instance_variable_get(:@middleware).delete_if { |klass,_,_| klass == Rack::Protection }
Sidekiq::Web.set :protection, except: :content_security_policy

I just set the Sinatra ref to the commit right before 13fec9c - Bump rack-protection dependency to test with 2.0.0 alpha

gem 'sinatra', github: 'sinatra', ref: '4e0048d', require: false

Works for me.

Ugh, this is my fault.

I thought the CSP stuff was opt-in, but I guess that was an oversight.

I will change it to make it opt-in since I don't want to introduce an untested policy as default.

Sorry for the trouble!

Confirmed. With sinatra, rack-protect, and sidekiq all from master, we're :+1: now. Thanks, @zzak!

@sublimecoder, @rayway30419 - you can remove my horrible hacky brittle instance_variable_get mess now and bundle update and should be good to go.

We use content security policy as a matter of best practice, at least the inline and eval protection. Would it not be a reasonable change to move the update script to a .js file instead of inline or would that be a big change?

Note: I do get that it isn't really a big deal for us to disable the CSP for the Sidekiq dashboard but all things being equal I'd rather keep it enabled if possible.

@chrisnicola I'm happy to get security improvement suggestions but I can't really take the lead here - it's not my area of expertise. PRs, as always, are welcome.

@mperham no problem, just wondering if it sounded like something that would make sense. Will submit a PR if people are interested then. I may wait until Sidekiq 2.0 is out of beta.