sheetsj’s avatarsheetsj’s Twitter Archive—№ 3,353

          1. Who knew setting a strict Content Security Policy would be so hard to do when using a library dependent on CSS-in-JS like Material-UI?
        1. …in reply to @sheetsj
          In short, you must set a nonce in a header, and provide it in the served index.html file material-ui.com/css-in-js/advanced/#content-security-policy-csp
      1. …in reply to @sheetsj
        When using AWS S3 + Cloudfront that means using a Lambda@Edge script to set the header aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/
    1. …in reply to @sheetsj
      But injecting a nonce into the rendered html isn’t currently easily possible with Lambda@Edge. You must get hacky engineering.dubsmash.com/how-dubsmash-uses-lambda-edge-to-serve-dynamic-spa-using-s3-1ba865d34512
  1. …in reply to @sheetsj
    All of this to get an A rating on observatory.mozilla.org/
    1. …in reply to @sheetsj
      Nothing really custom in there though — its all pretty generic
      1. …in reply to @sheetsj
        Would be great for web security if @awscloud added this feature enabled by a checkbox config in @cloudfront
        1. …in reply to @sheetsj
          Unless the @QuinnyPig or @jeremy_daly twitterverse knows of an existing easy serverless way?