@W-14446652@ Change CSP enforcement to an opt-in middleware.

[wjhsf]

In v3.2.0, to facilitate adoption of Storefront Preview, we introduced logic to enforce a Content-Security-Policy header containing all the directives that are required for PWA Kit / Storefront Preview to function. However, while making CSP management easier for those who use it, this is a breaking change for users who explicitly do not use the Content-Security-Policy header. 🤕 Oops.

This PR simply removes the middleware function from the internal logic of pwa-kit-runtime and exports it so that end users must opt in to using the function.

Description

Types of Changes

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Documentation update
• Breaking change (could cause existing functionality to not work as expected)
• Other changes (non-breaking changes that does not fit any of the above)

Breaking changes include:

• Removing a public function or component or prop
• Adding a required argument to a function
• Changing the data type of a function parameter or return value
• Adding a new peer dependency to package.json

Changes

• (change1)

How to Test-Drive This PR

• Check out v3.2.0, launch the app, save the CSP header.
• Check out this code, launch the app. CSP header should be the same.
• Remove the two security header middleware functions. Restart the app. CSP header should not be present.
  

  pwa-kit/packages/template-retail-react-app/app/ssr.js

  Lines 38 to 60 in 3582944

  	app.use(defaultSecurityHeaders)
  	// Set custom HTTP security headers
  	app.use(
  	helmet({
  	contentSecurityPolicy: {
  	useDefaults: true,
  	directives: {
  	'img-src': [
  	// Default source for product images - replace with your CDN
  	'*.commercecloud.salesforce.com'
  	],
  	'script-src': [
  	// Used by the service worker in /worker/main.js
  	'storage.googleapis.com'
  	],
  	'connect-src': [
  	// Connect to Einstein APIs
  	'api.cquotient.com'
  	]
  	}
  	}
  	})
  	)

• Bonus fun: move the defaultSecurityHeaders middleware to after the helmet middleware and see that it doesn't change the CSP!

Checklists

General

• Changes are covered by test cases
• CHANGELOG.md updated with a short description of changes (not required for documentation updates)

Accessibility Compliance

You must check off all items in one of the follow two lists:

• There are no changes to UI

or...

• Changes were tested with a Screen Reader (iOS VoiceOver or Android Talkback) and had no issues
• Changes comply with WCAG 2.0 guidelines levels A and AA
• Changes to common UI patterns and interactions comply with WAI-ARIA best practices

Localization

• Changes include a UI text update in the Retail React App (which requires translation)

[kevinxh]

What does "default" mean in this context? 🤔 we might want to be a bit more specific and call it likestorefrontPreviewSecurityHeaders(prob also a bad name) ?

[wjhsf]

By "default" I just mean "mandatory for PWA Kit to work". So it's not just Storefront Preview, even though that was the motivation for the change. And they're not strictly required if a project is using pwa-kit-runtime for something other than the retail react app.

Naming things is hard. 🤔

[kevinxh]

If I'm a developer, I would want to know the benefit of opting in defaultSecurityHeaders

The answer is: you can't use storefront preview on runtime admin... <- this might not be clear to end users.

[kevinxh]

wait... i think i might have misunderstanding...

if it is "mandatory for PWA Kit to work", why do we make it an opt-in?

[wjhsf]

Because some users don't want to have any CSP header, and @johnboxall said we should make it opt-in, rather than opt-out.

[johnboxall]

On naming: https://chat.openai.com/share/d5a18a26-08b3-47ea-a1ac-952dee512285

I don't have strong feelings, but the name should communicate that a) it is a express.js middleware [can also be implied from import] b) it sets security related headers required for using the PWA Kit

Yes, folks should be allowed to opt into these headers – LWR sites as an example don't want the PWA Kit CSP.

Also, some customers struggle to create a CSP. They're hard. Sometimes letting them go is the only way they can truly be free.

[vmarta]

My vote is on adding 'pwakit' to the name, like defaultPwaKitSecurityHeaders, so that it's more distinguishable. Because helmet also has a similar concept of defaults (see useDefaults on line 43).

[bfeister]

+1 agree defaultPwaKitSecurityHeaders is preferable

[kevinxh]

The behavior of enabling default headers seems more natural to me if it’s a configuration value…

const options = {
   ...,
   enableDefaultSecurityHeaders: true
}

[johnboxall]

This comment describes part of what this function does:

1. It is an express.js middleware that sets default security headers including CSP + HSTS for PWA Kit sites.
2. It patches res.setHeader to include defaults normally required for PWA Kit operation.

[vmarta]

My vote is on adding 'pwakit' to the name, like defaultPwaKitSecurityHeaders, so that it's more distinguishable. Because helmet also has a similar concept of defaults (see useDefaults on line 43).

[bfeister]

I think @johnboxall's point about extending the existing patch and then the PWA Kit namespacing of the mixin variable need some resolution before we merge this

[vmarta]

@wjhsf Let's review what the target branch should be for this PR. If we want this to be a hot fix, then we'll want to merge it into the release-3.2.x branch instead.