kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things sandstorm.io. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev
frigginglorious has quit [Read error: Connection reset by peer]
_whitelogger has joined #sandstorm
ill_logic has joined #sandstorm
<ill_logic> Error messages in the browser console aren't very useful here are they
<ill_logic> Is there a way to improve this?
_whitelogger has joined #sandstorm
<isd> ?
<isd> I feel like I'm missing some context.
<JacobWeisz[m]> Ian, any idea where the cert issue is for the person who moved their install?
_whitelogger has joined #sandstorm
<isd> Are we sure using create-acme-account is correct if they've already got a sandcats domain?
<isd> That seems suspicious, but I have no idea.
<isd> As you pointed out, they may be the first person to actaully try this...
<JacobWeisz[m]> Yeah, and all our "move your Sandcats" advice is old.
<isd> I'm trying to recover an old sandcats domain I don't use anymore, let's see how it goes.
<isd> So 1GiB of memory is apparently not enough to run sandstorm, even with no grains.
<isd> I feel like we ought to be able to do better than that.
<isd> I think I know why actually; it's falling over downloading apps, and I remmeber spotting some places where it seemed like we should be applying backpressure but aren't.
<isd> So, restoring the sandcats domain worked, but I had to do create-acme-account & renew certificate manually before any pages would actually load
<isd> (also, once it finished downloading the base apps it stopped using excessive amounts of memory)
<JacobWeisz[m]> Our basic apps have grown a lot since they were first pinned.
<isd> yeah, but it shouldn't keep them all in memory.
<JacobWeisz[m]> I suggested running those two commands and it didn't help them.
<isd> It sounds like they tried to copy over files from an old install, whereas I went through the sandcats recovery on a fresh one.
<isd> Opened an issue for the memory thing
frigginglorious has joined #sandstorm
frigginglorious has quit [Ping timeout: 265 seconds]
frigginglorious has joined #sandstorm
frigginglorious has quit [Ping timeout: 240 seconds]
_whitelogger has joined #sandstorm
asheesh has joined #sandstorm
<asheesh> Hey all!
<abliss> Hi asheesh! how goes?
<asheesh> Good! How about you abliss? :)
<asheesh> I saw the email about requesting testers for the Content-Security-Policy rollout. Wanted to ask if you've thought about using Content-Security-Policy-Report-Only as a way to track the errors in a log file, etc.
<abliss> can't complain! Yeah, Ian Denhardt has mentioned that idea.
<asheesh> If not, then I want to enthusiastically suggest the idea, as it has helped me in the past roll out a Content-Security-Policy, and offer non-coding help like Q&A or links.
<asheesh> Oh, good :)
<abliss> I think his plan is to have sandstorm intercept them and pop open a notification in the shell, like "Sandstorm has blocked external images to protect yoru privacy. Load them?" similar to gmail
<abliss> then if you authorize, it reloads the frame with a weaker CSP.
<asheesh> That's a decent approach. I would encourage considering something simpler yet more aggressive, which is that for the next 6-12 months, if you enable legacy mode in the CSP config option, Sandstorm logs violations to a file somewhere and doesn't do any smart work to process them. If that file exists, and you're an admin, you see a bell notification saying you should read that file and fix the apps that your users are
<asheesh> using.
<asheesh> Then, 6-12 months later, you disable the legacy feature, and don't ever allow people to go back to legacy mode.
<asheesh> I suppose this breaks one initial promise that Sandstorm will never break apps, but maybe I'm flexible about the precise definition of that.
<abliss> Yeah, I like that approach too.
<asheesh> Nice to see you all here! I may wander off in a while.
<asheesh> Hello to anyone I don't know :D
asheesh has left #sandstorm [#sandstorm]
<JacobWeisz[m]> Aww, I missed Asheesh
<isd> :(
XgF has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
XgF has joined #sandstorm
_whitelogger has joined #sandstorm
frigginglorious has joined #sandstorm
<ill_logic> Ian Denhardt: I mean that I'm getting client errors, and the report is something I can't really decipher. Server errors are a bit more clear.
frigginglorious has quit [Remote host closed the connection]
<xet7> Aww, so nice Asheesh visited here :)
<xet7> Hope he comes here again sometime :)
<xet7> What? X-Frame-Options ALLOW-FROM is deprecated? What I should use instead?
<xet7> What Sandstorm issue number is about that CSP rollout?
<isd> (n.b. the X-Frame-Options message is not new)
<xet7> Well, Wekan still has settings for that X-Frame-Options ALLOW-FROM, with TRUSTED_URL=https://example.com and BROWSER_POLICY_ENABLED=true
<xet7> I have hard time keeping up with all the updates to browsers and npm packages. There are some security issue found in some npm package very often.