Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MPP-3786: More settings changes for dockerflow #4609

Merged
merged 6 commits into from
Apr 17, 2024
Merged

MPP-3786: More settings changes for dockerflow #4609

merged 6 commits into from
Apr 17, 2024

Conversation

jwhitlock
Copy link
Member

@jwhitlock jwhitlock commented Apr 16, 2024
edited
Loading

  • Refactor Content-Security-Policy (CSP) settings:
    • Move all the CSP logic to the same section, rather than scattered over the settings.
    • Use leading underscore _ for variables only used in privaterelay/settings.py
    • Base Mozilla Account URLS on FXA_BASE_ORIGIN instead of FXA_PROFILE_ENDPOINT
    • Use stage and production Mozilla account hosts for connect_src
    • If 'unsafe-inline' is used for styles, do not include hashes in style-src. If they are included, browsers will ignore unsafe-inline.
    • Allow setting a report URI, such as https://docs.sentry.io/product/security-policy-reporting/
  • Ensure DJANGO_SECURE_SSL_REDIRECT is converted to bool for SECURE_SSL_REDIRECT
  • Fix setting SILENCED_SYSTEM_CHECKS from the environment

How to test

I pushed this branch to the dev server to test. With the proper environment settings, https://dev.fxprivaterelay.nonprod.cloudops.mozgcp.net/__heartbeat__ shows {"status": "ok"}, and no CSP issues on the dashboard or API docs.

The CSP changes are targeted at local development and the dev server. The /api/v1/docs URL looks like this on main:

main-csp-blocked-doc

With this PR, inline style is allowed, so there is a grey background applied:

pr-csp-allowed

For /api/v1/docs/redoc, the sidebar floats a little from the edge:

main-csp-blocked-redoc

With this PR, the sidebar hugs the edge:

PR-csp-allowed-redoc

@jwhitlock
Fix casting SECURE_SSL_REDIRECT to bool
3bbc4ec
@jwhitlock
Refactor CSP settings for 'unsafe-inline'
4209c53 
Refactor CSP settings to be in one section, and in the order they appear
in the Content-Security-Policy header.

The 'unsafe-inline' directive is ignored if there are nonce or hash
sources in the same directive. So, if we're using 'unsafe-inline', then
don't compute or use the hashes for the style-src.
@jwhitlock
Add to SILENCED_SYSTEM_CHECKS from environment
061f177 
Allow the environment to silence more system checks, used by dockerflow
for __heartbeat__. Ensure "models.W040" is included, even if not
specified.
@jwhitlock jwhitlock marked this pull request as draft April 16, 2024 16:00
@jwhitlock jwhitlock force-pushed the more-dockerflow-mpp-3786 branch from da0ebb5 to 6d78df4 Compare April 16, 2024 16:56
@jwhitlock jwhitlock marked this pull request as ready for review April 16, 2024 17:56
@jwhitlock jwhitlock requested a review from groovecoder April 16, 2024 17:58
@rafeerahman rafeerahman self-requested a review April 17, 2024 19:16
rafeerahman
rafeerahman approved these changes Apr 17, 2024
View reviewed changes
Copy link
Contributor

@rafeerahman rafeerahman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not too familiar with CSP and this work, a secondary review might be helpful.

Did not run into any errors with these changes and confirmed that the inline-styles applied.

@jwhitlock jwhitlock added this pull request to the merge queue Apr 17, 2024
Merged via the queue into main with commit 6d29fda Apr 17, 2024
27 checks passed
@jwhitlock jwhitlock deleted the more-dockerflow-mpp-3786 branch April 17, 2024 19:36
rafeerahman pushed a commit that referenced this pull request Apr 18, 2024
@jwhitlock @rafeerahman
Merge pull request #4609 from mozilla/more-dockerflow-mpp-3786
874d5b2 
MPP-3786: More settings changes for dockerflow
groovecoder
groovecoder reviewed Apr 18, 2024
View reviewed changes
Copy link
Member

@groovecoder groovecoder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changes LGTM too!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@groovecoder groovecoder groovecoder left review comments

@rafeerahman rafeerahman rafeerahman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jwhitlock @groovecoder @rafeerahman