[dev] Add CSP report endpoint and generalise policy#5907
Conversation
Reports are recorded with structured logging
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #5907 +/- ##
===========================================
- Coverage 84.85% 84.82% -0.03%
===========================================
Files 1491 1492 +1
Lines 33931 33936 +5
Branches 3613 3613
===========================================
- Hits 28791 28787 -4
- Misses 4289 4302 +13
+ Partials 851 847 -4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
BenTopping
left a comment
There was a problem hiding this comment.
Would it make sense to use config.content_security_policy_report_only = true report only to start with in case we have uncaught script executions
| # | ||
| # The content security policy itself is defined in config/initializers/content_security_policy.rb | ||
| module ViteRailsNoncePatch | ||
| def vite_javascript_tag(*names, **options) |
There was a problem hiding this comment.
Is the alternative to this adding nonce: true to all vite_javascript_tag's?
There was a problem hiding this comment.
Correct, and that does work.
The UJS version is also defined in a central location:
Correct, this is already set. |
This is mostly due to old jQuery, but could have other causes
This is due to legacy code and practises that need updating
Closes #5713
Changes proposed in this pull request
Warning
The policy
policy.style_src_attr :unsafe_inlineopens a hole in the CSP layer negating many of the benefits that a content security policy brings.It is strongly recommended that any instances of inline
styleattributes be converted to Bootstrap classes or stylesheets.Usages can be found using:
For more detail see https://centralcsp.com/docs/style-src-attr.
Informative resources
Official Rails Guide
Useful background
Specifications
Instructions for Reviewers
[All PRs] - Confirm PR template filled
[Feature Branches] - Review code
[Production Merges to
main]- Check story numbers included
- Check for debug code
- Check version