feat(runtime): add csp reporting url env var

[JAdshead]

Description

Adding additional env var allow the configuration of the csp-violations report url

Motivation and Context

Currently only a single environment variable is used to configuring reporting urls which has lead to misconfiguration.

How Has This Been Tested?

Unit & Integrations tests

Types of Changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation (adding or updating documentation)

Checklist:

• My change requires a change to the documentation and I have updated the documentation accordingly.
• These changes should be applied to a maintenance branch.
• This change requires cross browser checks.
• Performance tests should be ran against the server prior to merging.
• This change impacts caching for client browsers.
• This change impacts HTTP headers.
• This change adds additional environment variable requirements for One App users.
• I have added the Apache 2.0 license header to any new files created.

What is the Impact to Developers Using One App?

Allows configuration of csp-violation and error reporting urls

[oneamexbot]

📊 Bundle Size Report

file name	size on disk	gzip
app.js	112.6KB	31.4KB
runtime.js	15KB	5.3KB
vendors.js	128.1KB	37.9KB
app~vendors.js	405.9KB	106KB
legacy/app.js	119.4KB	33KB
legacy/runtime.js	15KB	5.3KB
legacy/vendors.js	163KB	44.8KB
legacy/app~vendors.js	412KB	107.6KB

Generated by 🚫 dangerJS against dad4fd2

[JamesSingleton]

@JAdshead,

Any reason why there are changes in package-lock.json when there are none in the package.json?

[Francois-Esquire]

Do we need to update the route address for the middleware as well for reporting url?

https://github.com/americanexpress/one-app/blob/master/src/server/ssrServer.js#L69

Not sure if there is a reason for it or not. My only concern if I set ONE_CLIENT_CSP_REPORTING_URL to something different like /csp-violation instead, it would break with the hard coded route.. We also prob don't need that middleware if we have a complete url with https://my-csp-reporter.com/violation.

[JAdshead]

Do we need to update the route address for the middleware as well for reporting url?

https://github.com/americanexpress/one-app/blob/master/src/server/ssrServer.js#L69

Not sure if there is a reason for it or not. My only concern if I set ONE_CLIENT_CSP_REPORTING_URL to something different like /csp-violation instead, it would break with the hard coded route.. We also prob don't need that middleware if we have a complete url with https://my-csp-reporter.com/violation.

@Francois-Esquire one-app provides the reporting endpoints to allow users to optionally report back and log on the one-app server, there are cases where they will want to standup their own server for handling reports. setting ONE_CLIENT_CSP_REPORTING_URL and ONE_CLIENT_REPORTING_URL allows dependencies to consume those values and not be coupled to one-app's api.

[10xLaCroixDrinker]

If you're going to do this, may as well change the env var name altogether.

Suggested change

	ONE_CLIENT_REPORTING_URL=/_/report/errors
	ONE_CLIENT_ERROR_REPORTING_URL=/_/report/errors

[10xLaCroixDrinker]

Won't this also require a change to one-app-ducks?

[JAdshead]

changing the name would require a change which is why i left it, currently one-app-ducks is treating this as /_/report/errors - https://github.com/americanexpress/one-app-ducks/blob/master/src/errorReporting.js#L109

[10xLaCroixDrinker]

carry on 🖖

[10xLaCroixDrinker]

This should be updated as well: https://github.com/americanexpress/one-app/blob/master/prod-sample/one-app/base.env#L2

Can you validate that this is covered everywhere?

[JAdshead]

@10xLaCroixDrinker ☝️

[JAdshead]

This should be updated as well: https://github.com/americanexpress/one-app/blob/master/prod-sample/one-app/base.env#L2

Can you validate that this is covered everywhere?

I have been through and checked other repos for use of ONE_CLIENT_REPORTING_URL/reportingUrl and only occurrences i could find were in the generator and one-app-ducks. The generator is the only place that requires an update

[mtomcal]

Do we have documented anywhere how errors are POST-ed to the ONE_CLIENT_CSP_REPORTING_URL?

[JAdshead]

Do we have documented anywhere how errors are POST-ed to the ONE_CLIENT_CSP_REPORTING_URL?

This would be elaborated on in a creating CSP recipe that I don't think exists