Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to manually disable warnings #71

Open
IlCallo opened this issue Jan 22, 2018 · 4 comments
Open

Option to manually disable warnings #71

IlCallo opened this issue Jan 22, 2018 · 4 comments
Labels
feature request
Milestone
Version 2.1

Comments

@IlCallo
Copy link

IlCallo commented Jan 22, 2018

I with you that having Warnings and Notices is a wonderful thing while developing, but it seems that it's not possible to manually disable them in any way.

Use cases:

  • we want to support Edge pre-15, so we must put the "unsafe-inline". Our CSP is build in order to leverage CSP3 and 2 where possible and fallback to CSP1 only where really needed, but actually we find ourselves filled with warnings about a decision we know we did for a reason;
  • we are enhancing security step-by-step and for this reason we preferred to disable HSTS for now. We know we did, we are going to enable it later, still we apparently have no way to disable those errors.

If there were some way to selectively disable some warnings (of course they must be enabled by default), it would be great
@aidantwoods
Copy link
Owner

aidantwoods commented Jan 22, 2018
edited

reportMissingException might be partially what you're looking for. Though I agree it might be good to be able to selectively mute any error (like the CSP ones for example). You're now reminding me of something I've been meaning to fix – I think SecureHeaders will warn for 'unsafe-inline' when a hash/nonce is used, but it shouldn't be (using a nonce/hash will disable 'unsafe-inline' – this being a backwards compat convenience to pretty much fit the situation you're describing).

@aidantwoods aidantwoods mentioned this issue Jan 22, 2018
Open
@aidantwoods
Copy link
Owner

Just to rephrase slightly – for the first situation if you're using hashes and nonces in addition to 'unsafe-inline' then SecureHeaders shouldn't be giving a warning anyway.
For the second situation you should be able to mute the HSTS warning, but I think the API call might need to be exposed as a config option from @mikefrancis's library (so giving him a ping here 😜).

@IlCallo
Copy link
Author

IlCallo commented Jan 22, 2018

Yes, my first use case is exactly the "degrade gracefully" one you described.
And the reportMissingException is what I was seaching, ty. It wasn't mentioned on the README and I guess I missed that part of the Wiki

@IlCallo IlCallo closed this as completed Jan 22, 2018
@aidantwoods aidantwoods mentioned this issue Jan 22, 2018
Closed
@aidantwoods
Copy link
Owner

I'll re-open this to keep a pin in it so I remember to add the ability to turn off specific warnings/notices :)

In principle I wouldn't recommend ignoring the CSP warnings for example (at least when they're doing the right thing). Though if a user really doesn't want to see a particular warning, I would rather they muted a single warning type than everything in bulk and being blind to all problems – so I think it is worthwhile adding this granularity.

@aidantwoods aidantwoods reopened this Jan 22, 2018
@aidantwoods aidantwoods added this to the Version 2.1 milestone Jan 22, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
Version 2.1
Development

No branches or pull requests
2 participants
@aidantwoods @IlCallo