Lift 3.x Migration: Tips for the CSP feature

[j...@joescii.com]

I'm migrating a second app from Lift 2.x to 3.x, and I thought I'd share the CSP settings that work for me to disable it since our coverage of the feature is a bit smattered about the ML: 

LiftRules.securityRules = () => {
  SecurityRules(content = Some(ContentSecurityPolicy(
    styleSources = List(
      ContentSourceRestriction.UnsafeInline,
      ContentSourceRestriction.All
    ),
    scriptSources = List(
      ContentSourceRestriction.UnsafeInline,
      ContentSourceRestriction.UnsafeEval,
      ContentSourceRestriction.All
    )
  )))
}

LiftRules.extractInlineJavaScript = true

Also note that the securityRules setting may appear to not work if you put it too late in your boot (the first time the setting is read, it's locked and subsequent settings are silently ignored. You can find a discussion about improving this behavior in this thread). 

If you have other sources involved (such as fonts if you are using Google fonts), you'll want to investigate the full API of ContentSecurityPolicy.

Ideally, you want to comb through your code base and rock the default CSP settings before shipping. However, above cross-cutting disabling of the feature is useful to defer upgrading your application to leverage CSP for after you've resolved other Lift 3.x migration needs.

Happy Lifting!

Joe

[Antonio Salazar Cardozo]

Nice, thanks for sharing!

Worth noting that enabling inline JS extraction isn't strictly necessary if you've loosened your

content security policy.

Thanks,

Antonio