Monday, May 29, 2017

Content Security Policy and S3 hosted site

When I went to implement a content security policy on I was disappointed to realize that the 'Content-Security-Policy' header is not one of the standard headers supported by S3's metadata API. This bLog
explains an approach using lambda on the CloudFront edge, but that looks crazy.

Fortunately - it turns out we can add a basic security policy to a page with a meta tag, so I added a <meta http-equiv="Content-Security-Policy" ...> tag to the nunjucks template that builds's html pages at gulp compile time. The full code is on github:

<meta http-equiv="Content-Security-Policy" 
  default-src 'none'; 
  img-src 'self' data:; 
  script-src 'self'; 
  style-src 'self'; 
  object-src 'none'; 
  font-src 'self'

Saturday, May 27, 2017

Update - new 511 app

I finally updated my little S3-hosted web sandbox at The update has a few parts. First - I took down some old javascript apps and CSS code that I had developed several years ago using the YUI framework (now defunct), and tried to cleanup and simplify the landing page.

Next, I posted some new code exploring app development and testing with vanillajs, custom elements, and CSS. The new code includes an update to the 511 app for timing labor contractions with the 511 rule. The app uses a simple custom element to show the distribution of contractions over the last hour on a SVG pie-chart. The code is on github.

Finally, I switched the code over to an ISC license. I don't want an LGPL license to discourage people for copying something they find useful.

There's still a lot I'd like to do with apps.littleware - starting with upgrading the site to https by putting the S3 bucket behind cloud front, and wiring up a service worker. We'll see how long it takes me to make time for that ...