New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sidekiq 7.3 compatibility #468
Comments
Thanks for the info @mperham! Will take a look asap this new API is defined. Just a question for now, I understand this will only work with Sidekiq 7.3+ right? That means, that we'll need to somehow maintain 2 ways (pre and post 7.3) of "injecting" our assets to Sidekiq Web UI? |
Yep, unfortunately that is correct today. I'm open to suggestions for how to make this easier. This change is designed to remove an entire style of attack on the Web UI (XSS) but requires all /sidekiq pages to be compliant or they will break. There's 4-5 popular Sidekiq extensions so I'm hoping this will be doable but some of them have significant UI. |
Hello @mperham, I reviewed all our front-end part for the Web UI, and we are not using any external js or css, just a couple of inline styles (some of them dynamically generated) in our ERB templates: https://github.com/search?q=repo%3Asidekiq-cron%2Fsidekiq-cron+style%3D&type=code. Do you think this is gonna be a problem? Sorry 🙏🏼 I have very little knowledge of CSP policies. |
We're going to allow inline styles for 7.3 but they'll need to move to static classes + predefined javascript for 8.0. Right now I'm writing an example extension which you can use as a reference for how to do things the "correct" way. |
Ok, thanks Mike! Please, share the example once you have a chance, I'll try refactor our inline styles asap, so we'll prepared for compatibility with the future Sidekiq release. |
Here's the new registration API and example extension. Let me know what you think, everything is still malleable so feedback would be appreciated. I still need to add a test. |
Sidekiq 7.3 will remove support for inline styling and scripts. This means you'll need to move your dynamic styling into a separate CSS file and flag it with the current nonce.
Where
sidekiq-cron.css
should go into a directory which you have added to Sidekiq::Web's asset paths. I don't have an API for this yet -- TBD.See sidekiq/sidekiq#6270
The text was updated successfully, but these errors were encountered: