Reach place where we can re-enable the CSP by default

[ocdtrekkie]

I think we should have a current/open tracking issue for work on concluding #3409. I considered a milestone, but I want to include issues which are not in the Sandstorm repo.

In order to test or utilize the more restrictive policy, server administrators can place ALLOW_LEGACY_RELAXED_CSP=false in their sandstorm.conf files and then restart Sandstorm.

App breakage we should definitely fix[1] before re-implementing this change by default:

• App Index: App Index review broken by client side CSP #3422
• ShareLatex: ShareLatex broken by client-side loading changes in 0.270 dwrensha/sharelatex#15

[1] I hesitate to add all tested apps listed in #3409, as many the impact is considered low and may or may not be noticeable to any users actively using them. I will update this list as we discuss.

[zenhack]

Since the two specific items listed here are both done, we should identify next steps. I am not confident that enough is fixed for us to switch this back on by default. What I think we should do:

• Put a call out to the mailing list asking users to test apps and report issues.
• Aggregate the issues, either as a list here, as a milestone or with a label.

From there we can identify specific actionable items, and turn it on by default when we run out.

Thoughts?

[ocdtrekkie]

I tested the App Index yesterday, and it appears to work, so that's good. I agree we should probably ask people to start opting into this policy soon. Perhaps we should recommend this and the new seccomp filter at the same time, once you feel reasonably comfortable with that one as well.

I meant to get draw.io updated, and never got around to wrapping that up... I was kind of hoping we'd see more app update activity prior to going forward with this, but things have been slow on that front.

[zenhack]

Quoting Jacob Weisz (2021-04-18 13:57:23)

and the new seccomp filter at the same time, once you feel reasonably comfortable with that

I don't yet; right now anything with mongo inside is going to be broken, so it doesn't seem like there's a ton of value in asking people to subject themselves to it when it's broken in ways that we know about and will keep us busy anyway. But I think we could go ahead with asking people to test the CSP filter. Even though we know that some apps are kinda broken, asking people to test will if nothing else tell us which apps are most important to get to.

[ocdtrekkie]

Okay, I am good with that. I guess my biggest concern is if we ask people to test it and find app issues, we presumably need to be on deck with fixing those app issues similarly to how ShareLatex's was handled.

[zenhack]

Another thing to track: with the current version of firefox the new etherpad package runs into an error, see: sandstormports/community-project#15 (comment)

We need to fix that one way or another before we throw the switch.

[ocdtrekkie]

Experimental draw.io fix is out that brings the math dependency into the package.

Of the list of apps you mentioned in the original issue:

• I am not publishing uWiki at this time, if I do it'll be fixed.
• My concern for heavy usage of Contact Otter is... low.
• The entire list of ones that just fail to load fonts I am fine with, as long as none of those fonts are icon fonts like ShareLatex used.
• I'd like to fix Brainstorm and Giftr, but trying to get meteor-spk to work in our current bitrot state with Mongo is an act of complete futility, neither of these apps I think we should hold because of.
• I've never heard of anyone using Dillinger or Swagger Editor on Sandstorm since they appeared. The former only affects math formulas.

IMHO, the issue with our updated Etherpad package is probably the only significant blocker here. Most of these packages we could probably monkeypatch and resign if absolutely needed without having to rebuild the entire thing.