17:23 <ill_logic> I don't know if this was mentioned before, but what if there's a big red warning for users that an app is no longer considered secure?

17:24 <ill_logic> At least for an interim? It's an intermediate nudge to get people to update their apps. But if people really need it they can use it.

17:25 <JacobWeisz[m]> I mean, I'd rather use an app with some styling broken than one that isn't secure.

17:26 <ill_logic> Oh if it's just css then sure.

17:26 <JacobWeisz[m]> And for the majority of apps which aren't broken by these changes, I'd rather not have a not-secure warning when it works fine in the more secure mode.

17:26 <JacobWeisz[m]> I think like the worst we are looking at is the math functions for a couple apps.

17:27 <JacobWeisz[m]> That probably aren't core functionality to begin with.

17:29 <ill_logic> BTW I mentioned a while ago the idea of having a test suite that covered all apps in the store. People didn't think it would be valuable.

17:30 <ill_logic> Not that I think it should be a priority, but I think this is an example of where it could be helpful. Some changes in Sandstorm could affect apps in surprising way.s

17:30 <JacobWeisz[m]> I think it's mostly the amount of work for the benefit with our available resources there. We don't break the app platform often.

17:31 <ill_logic> An issue of priority then, okay.

17:32 <JacobWeisz[m]> The two major changes Ian has PR'd are big technical debt items that once cleared out should leave us in a long term much better place... but do cause some immediate breakage.

17:56 <isd> Yeah, I don't anticipate having to break apps for security reasons being a recurring theme for long.

18:40 <mnutt> I've been a little out of the loop, I take it there's a security issue that will require apps to update?

18:40 <isd> Most apps should be fine (I tested davros, you're good)

18:41 <isd> And the issue isn't really news -- just getting around to closing some of the known, documented holes.

18:41 <TimMc> CSP?

18:41 <isd> Bingo.

18:42 <isd> See: https://github.com/sandstorm-io/sandstorm/pull/3409

18:42 <mnutt> ah ok

18:42 <mnutt> that's great to see

18:43 <mnutt> nice to have a technical restriction that enforces the way apps are _supposed_ to work, anyway

18:44 <isd> Yeah. What prompted me to do it was the mailing list thread in which ocdtrekkie had not even noticed that the app he was packaging was pulling in stuff from a CDN; ill_logic pointed it out.

18:44 <TimMc> How cool would it be to have a report-only mode where the framing warns you about all the "naughty" stuff the grain is doing?

18:44 <isd> I was like "This should fail loudly"

18:44 <mnutt> extremely old versions of davros were pulling in Google Fonts and I didn't actually notice until turning on CSP

18:45 <TimMc> (I half-remember some conversation about this, come to think of it...)

18:45 <isd> TimMc: Most stuff doesn't break badly for it to seem worth the trouble. For images/audio/video I'm thinking of using csp reports to do an email-style "some images were blocked for your privacy [click to show images]" style UI

18:45 <isd> badly enough

18:46 <isd> The PR does add an (undocuented) config option to sandstorm.conf to turn the CSP back off -- which we'll remove after a grace period -- in case somebody has a private app that is horribly broken and they come to us asking for more time to port their app.

18:46 <TimMc> That would be pretty amazing.

18:47 <TimMc> It would require a page reload, right?

18:47 <isd> Yeah. So if you click the button it would refresh the contents of the iframe with a relaxed CSP.

18:47 <mnutt> is this is a CSP set on the top-level sandstorm request which would filter down to the grain request, or CSP on the grain request itself?

18:48 <isd> Right now this is only applied to the grain itself -- it doesn't make any CSP changes to Sandstorm's primary domain

18:48 <mnutt> because davros' CSP is slightly more restrictive than sandstorm's, ideally there'd be a way to enforce the extra restrictions

18:49 <isd> mnutt: https://github.com/sandstorm-io/sandstorm/issues/3410

18:49 <mnutt> awesome, thanks

18:51 <isd> np

18:54 <mnutt> haha: https://github.com/mnutt/davros/blob/ccb0b4e7087608d38cabcb7de87401c21a5653bd/server/dav/safe-gets.js#L40

19:11 <JacobWeisz[m]> I am glad that after these two PRs, I can be reasonably confident grains are self-contained.

19:12 <isd> ocdtrekkie: I think you may want to wait on the csp report/popup for that conclusion.

19:12 <JacobWeisz[m]> Not that anyone was maliciously using httpGet that we know of... but it was possible.

19:12 <isd> tracking pixels are a thing.

19:12 <isd> Also, I think webrtc is still a possible vector?

19:12 <JacobWeisz[m]> True. Though apps will work without external scripts, which is mostly what I was thinking of there.

19:13 <isd> (and I'm not sure how to block webrtc, if we can...)

19:13 <isd> Yeah, it should be harder to miss un-obfuscated attempts.

19:13 <JacobWeisz[m]> I am always afraid when using old software for instance that some outside dependency on someone's server will shut off and things will be sad.

19:14 <JacobWeisz[m]> We should file issues on apps you found client side script loading.

19:15 <JacobWeisz[m]> Many may be abandoned anyways, but if the issues are filed people can potentially be notified that we know these will see breakage soon.

19:25 <isd> +1

19:25 <isd> afaik all of the breakage is listed in the comment I left.

19:39 <TimMc> I'm delighted to see Sandstorm finally growing into its promise as a secure environment.