Skip to content
This repository has been archived by the owner on May 3, 2024. It is now read-only.

fix(csp): remove script nonce if inline scripts are disabled #700

Merged
merged 2 commits into from
Mar 14, 2022
Merged

fix(csp): remove script nonce if inline scripts are disabled #700

merged 2 commits into from
Mar 14, 2022

Conversation

guym4c
Copy link
Member

@guym4c guym4c commented Mar 14, 2022

The changes made in #636 are breaking due to the script nonce being added to the initial response, even if the environment variable is enabled and it is being correctly suppressed from the CSP header.

Description

The middleware that prepares the HTML response already includes a check to not apply the script nonce if it isn't populated, so we just need to ensure that the nonce is never populated if inline scripts are enabled in dev, rather than simply suppressing it in the header. I've moved the code applying up slightly inside the conditional blocks that run either in production, or if the env var isn't set.

I tested this feature using a root module, and it only occurs if the app's root module is a prod build and not being served, and so overlooked this scenario.

Motivation and Context

Bugfix for #636

This bug only occurs if you aren't serving your app's root module. In OneApp 5.13 you can avoid it by serving your root module.

How Has This Been Tested?

I tested it with a child module this time, in Firefox 97.0.2.

Types of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation (adding or updating documentation)
  • Dependency update
  • Security update

Checklist:

  • My change requires a change to the documentation and I have updated the documentation accordingly.
  • These changes should be applied to a maintenance branch.
  • This change requires cross browser checks.
  • Performance tests should be ran against the server prior to merging.
  • This change impacts caching for client browsers.
  • This change impacts HTTP headers.
  • This change adds additional environment variable requirements for One App users.
  • I have added the Apache 2.0 license header to any new files created.

What is the Impact to Developers Using One App?

Feature added in #636 works in all scenarios

@guym4c guym4c requested review from a team as code owners March 14, 2022 15:35
@JAdshead
Copy link
Contributor

Good catch @guym4c

@Matthew-Mallimo Matthew-Mallimo changed the title Fix: remove script nonce entirely if inline scripts are disabled fix(csp): remove script nonce if inline scripts are disabled Mar 14, 2022
@Matthew-Mallimo Matthew-Mallimo merged commit d90954e into americanexpress:main Mar 14, 2022
@guym4c guym4c deleted the feat/disable-script-nonce-in-dev branch March 15, 2022 11:38
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@JAdshead JAdshead JAdshead approved these changes

@Matthew-Mallimo Matthew-Mallimo Matthew-Mallimo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@guym4c @JAdshead @Matthew-Mallimo