Updated content security policy to allow script and style from google analytics

[RajeshPaul38]

Signed-off-by: Rajesh Paul rajesh.paul@progress.com

Description

[Please describe what this change achieves]

Issues Resolved

[List any existing issues this PR resolves, or any Discourse or
StackOverflow discussions that are relevant]

Check List

• New functionality includes tests
• All buildkite tests pass
• Full omnibus build and tests in buildkite pass
• All commits have been signed-off for the Developer Certificate of Origin. See https://github.com/chef/chef/blob/main/CONTRIBUTING.md#developer-certification-of-origin-dco
• PR title is a worthy inclusion in the CHANGELOG

[netlify]

👷 Deploy Preview for chef-supermarket processing.

Name	Link
🔨 Latest commit	058fccd
🔍 Latest deploy log	https://app.netlify.com/sites/chef-supermarket/deploys/624c5b0599e2450008b2b458

[RajeshPaul38]

Buildkite: https://buildkite.com/chef/chef-supermarket-main-omnibus-adhoc/builds/423

[RajeshPaul38]

ad hoc build has passed

[RajeshPaul38]

This snippet doesn't seem to be working. Got the reference to the new script from this link: https://developers.google.com/analytics/devguides/collection/gtagjs

[msys-sgarg]

@RajeshPaul38 Can we have screenshots with the PR to make sure that google analytics are working fine with this change ?

[RajeshPaul38]

@RajeshPaul38 Can we have screenshots with the PR to make sure that google analytics are working fine with this change ?

Sure, let me attach

[RajeshPaul38]

Here is how the data is getting reflected in google analytics. @msys-sgarg

[antima-gupta]

Looks good to me

[msys-sgarg]

@RajeshPaul38 I hope we took a look into the script injection possibilities with this change ?

[RajeshPaul38]

@msys-sgarg thanks for pointing out the possible chances of XSS attack. I've tried to mitigate it as much as possible by disabling inline scripts and only keeping the inline css enabled. I've used a CSP mechanism called nonce which ensures only the inline scripts that is signed with a valid nonce, will be allowed by the CSP. This nonce is a hash that gets generated uniquely for every request. Hence the chances of XSS attack is zero as no one else will know what will be the nonce hash for a certain request. Hope this is a satisfactory resolution for the issues pointed out during the demo. If yes pls approve.

[RajeshPaul38]

Build: https://buildkite.com/chef/chef-supermarket-main-omnibus-adhoc/builds/438

[RajeshPaul38]

Checked my changes in an EC2 instance. See below screenshot:

[RajeshPaul38]

Can we get this merged with priority @saghoshprogress as this is a customer bug?

[RajeshPaul38]

Ready for merge @saghoshprogress

[RoyShravani]

@RajeshPaul38 Deploy preview check failed. please take a look!

[RajeshPaul38]

I've tried debugging the issue with netlify build. But seems like an issue in the build process, not related to this PR. Pls approve.