Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sidekiq 7.3 compatibility #468

Open
mperham opened this issue May 8, 2024 · 6 comments
Open

Sidekiq 7.3 compatibility #468

mperham opened this issue May 8, 2024 · 6 comments

Comments

@mperham
Copy link

mperham commented May 8, 2024
edited

Sidekiq 7.3 will remove support for inline styling and scripts. This means you'll need to move your dynamic styling into a separate CSS file and flag it with the current nonce.

<link href="<%= root_path %>stylesheets/sidekiq-cron.css" media="screen" rel="stylesheet" type="text/css" nonce="<%= csp_nonce %>" />

Where sidekiq-cron.css should go into a directory which you have added to Sidekiq::Web's asset paths. I don't have an API for this yet -- TBD.

See sidekiq/sidekiq#6270
@markets
Copy link
Member

markets commented May 8, 2024

Thanks for the info @mperham! Will take a look asap this new API is defined.

Just a question for now, I understand this will only work with Sidekiq 7.3+ right? That means, that we'll need to somehow maintain 2 ways (pre and post 7.3) of "injecting" our assets to Sidekiq Web UI?

@mperham
Copy link
Author

mperham commented May 8, 2024

Yep, unfortunately that is correct today. I'm open to suggestions for how to make this easier. This change is designed to remove an entire style of attack on the Web UI (XSS) but requires all /sidekiq pages to be compliant or they will break. There's 4-5 popular Sidekiq extensions so I'm hoping this will be doable but some of them have significant UI.

@markets
Copy link
Member

markets commented May 8, 2024
edited

Hello @mperham,

I reviewed all our front-end part for the Web UI, and we are not using any external js or css, just a couple of inline styles (some of them dynamically generated) in our ERB templates: https://github.com/search?q=repo%3Asidekiq-cron%2Fsidekiq-cron+style%3D&type=code. Do you think this is gonna be a problem? Sorry 🙏🏼 I have very little knowledge of CSP policies.

@mperham
Copy link
Author

mperham commented May 8, 2024

We're going to allow inline styles for 7.3 but they'll need to move to static classes + predefined javascript for 8.0. Right now I'm writing an example extension which you can use as a reference for how to do things the "correct" way.

@markets
Copy link
Member

markets commented May 8, 2024

Ok, thanks Mike! Please, share the example once you have a chance, I'll try refactor our inline styles asap, so we'll prepared for compatibility with the future Sidekiq release.

@mperham
Copy link
Author

mperham commented May 14, 2024

Here's the new registration API and example extension. Let me know what you think, everything is still malleable so feedback would be appreciated. I still need to add a test.

sidekiq/sidekiq#6292

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mperham @markets