search

department-of-veterans-affairs / next-build

Front-end templating, build, and deploy for VA.gov CMS content.
Creative Commons Zero v1.0 Universal
9 stars 5 forks source link

Sets up scripts to place pseudo nonces to be transformed by revproxy. #787

Closed timcosgrove closed 1 month ago

timcosgrove commented 1 month ago

Description

Adds nonce placeholders which will be substituted by the reverse proxy.

Ticket

https://github.com/department-of-veterans-affairs/next-build/issues/789

Developer Task

- [x] PR submitted against the `main` branch of `next-build`.
- [x] Link to the issue that this PR addresses (if applicable).
- [x] Define all changes in your PR and note any changes that could potentially be breaking changes.
- [x] PR includes steps to test your changes and links to these changes in the Tugboat preview (if applicable).
- [x] Provided before and after screenshots of your changes (if applicable).
- [x] Alerted the #accelerated-publishing Slack channel to request a PR review.
- [ ] You understand that once approved, you are responsible for merging your changes into `main`. (Note that changes to `main` will move automatically into production.)

Testing Steps

You will need to set up a reverse proxy Preview server tunnel, using the preview instance from this PR: https://github.com/department-of-veterans-affairs/vsp-platform-revproxy/pull/687

Confirm that a Staging Content release has gone out with this code:

  1. Visit https://main-medc0xjkxm4jmpzxl3tfbcs7qcddsivh.ci.cms.va.gov/admin/config/system/feature_toggle and make sure the Event & Event Listing feature flags are enabled.
  2. Run a Content Release: Staging run, with this branch tcosgrove_nonce selected rather than main: https://github.com/department-of-veterans-affairs/next-build/actions/workflows/content-release-staging.yml

Then, run through these steps:

  1. Open the web inspector on your browser, and have the console open and ready.
  2. Visit https://staging.va.gov/outreach-and-events/events/. Confirm that you are tunneling through the Preview reverse proxy instance.
  3. Confirm in the response headers that you are seeing Next Build content.
  4. Confirm that you do not see any errors in the console indicating that Content Security Policy is preventing scripts from loading.
  5. Confirm that the page is loading fully as expected, including the header & footer.
  6. View source (not with the web inspector; actual source), and search for ssgManifest.js. For the script tag where that is loaded, you should see a nonce included in the script tag, something like the following:
<script src="/_next/static/vagovprod/_ssgManifest.js" defer="" nonce="cizixRUsiHF42ScikEQvnlNficBfj3Mr"></script>

Do the above steps again for any individual event page.