MPP-3838: restore safer CSP #4854
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jwhitlock
requested changes
Jul 11, 2024
There was a problem hiding this comment.
The tests run fine on /accounts/profile/, but have errors on /faq/.
A warning "@next/third-parties: GA dataLayer dataLayer does not exist" is raised at GoogleAnalyticsWorkaround.tsx:103:12. This is then followed by an error
Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self' https://www.google-analytics.com/ https://*.googletagmanager.com https://js.stripe.com/”
It doesn't happen when the trailing slash is in the path patterns.
privaterelay/middleware.py
Outdated
| from whitenoise.middleware import WhiteNoiseMiddleware | ||
|
|
||
| metrics = markus.get_metrics("fx-private-relay") | ||
|
|
||
|
|
||
| CSP_NONCE_COOKIE_URLS = ["/", "/premium", "/faq", "/accounts/profile/"] |
There was a problem hiding this comment.
Add "/phone/", "/premium/waitlist/", "/phone/waitlist/", "/vpn-relay/waitlist/", "/contains-tracker-warning/", "/account/settings/", "/accounts/account_inactive/", "/vpn-relay-welcome/", "/tracker-report/"
Add the trailing slash for /premium/ and /faq/
Use a new EagerNonceCSPMiddleware to add nonce to the CSP and update the React app to include it in dynamic scripts.
Use SpectacularSwaggerSplitView to load the script as a <script> tag instead of an inline script. This means 'unsafe-inline' is not needed for API docs.
groovecoder
force-pushed
the
ga4-csp-mpp-3838
branch
from
991403b to
78508ad
Compare
|
Updated to include all url paths returned by: (except the |
jwhitlock
reviewed
Jul 11, 2024
Co-authored-by: John Whitlock <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use a new EagerNonceCSPMiddleware to add nonce to the CSP and update the React app to include it in dynamic scripts.
This PR fixes MPP-3838.
How to test:
frontend/,npm run watchto build the new front-end filespython manage.py runserverl10n changes have been submitted to the l10n repository, if any.I've added a unit test to test for potential regressions of this bug.I've added or updated relevant docs in the docs/ directory.All UI revisions follow the coding standards, and use Protocol tokens where applicable (see/frontend/src/styles/tokens.scss).