[S781] Verify and update Content Security Policy configuration on AWS deployed web site (iframe)

[rija]

• Ensure when accessing staging.gigadb.org, iframe content still work
• Ensure nginx configuration for live environment production has content policy settings (add_header)

[rija]

Finding dataset pages to test:

gigadb=> select el.external_link_type_id, elt.name, max(identifier) from external_link el, external_link_type elt, dataset d  where el.external_link_type_id = elt.id and d.id = el.dataset_id and d.upload_status = 'Published' and el.external_link_type_id in (2,3,4,5,6,7,8) group by el.external_link_type_id, elt.name order by el.external_link_type_id;
 external_link_type_id |          name          |  max   
-----------------------+------------------------+--------
                     2 | Genome browser         | 101001
                     3 | Protocols.io           | 101053
                     4 | JBrowse                | 100644
                     5 | 3D Models              | 100911
                     6 | Code Ocean             | 100909
                     7 | Github links           | 100935
                     8 | USCS Tumour Map Viewer | 100781
(7 rows)

[only1chunts]

FYI - "Genome browser" and "Github links" currently dont display as iFrames.

266 is about our desires for GitHub links.

Genome browser is a catch-all for non-JBrowse browsers, and I'm still not sure what we want to do with those! for the purposes of this testing ticket you can ignore both "GitHub link" and "Genome browser" types.

[rija]

Thanks @only1chunts for the info. I'll still record their status as them not displaying like on live may be symptom of an underlying more general problem, either in code or in the freshness of the test data I use, and even so, we could still decide not to do anything if that make better sense.

Started testing and here is the initial status (had to changes some of the example DOI as several were timeing out on my AWS deployment, which is a problem, but not in scope for this ticket):

external_link_type_id	name	example DOI	status on my Fork deployment	status on staging.gigadb.org
2	Genome browser	101001	OK	?
3	Protocols.io	101053	No [1]	?
4	JBrowse	100644	No [2]	?
5	3D Models	100294	No [3]	?
6	Code Ocean	100909	No [4]	?
7	Github links	100935	No [5]	?
8	USCS Tumour Map Viewer	100781	No [6]	?
n/a	Hypothesis	100761	No [7]	?

[1] Content Security Policy: The page's settings blocked the loading of a resource at https://www.protocols.io/widgets/protocol/gene-modeling-and-prediction-rf7d3rn ("frame-src").

[2]

Content Security Policy: The page's settings blocked the loading of a resource at https://www.rosaceae.org/jbrowse/index.html?data=data%2Fpyrus%2Fpcommunis_v2.0&loc=Chr1%3A8630732..12945136&tracks=DNA&highlight= ("frame-src").

[3]

Content Security Policy: The page's settings blocked the loading of a resource at https://sketchfab.com/models/8bf1b1daf5fa478ca2c8028d5c59b5ec/embed ("frame-src"). 2

[4]

Content Security Policy: The page's settings blocked the loading of a resource at https://codeocean.com/algo.html?algorithmSlug=6833685 ("frame-src"). 2

[5] GitHub links sections not appearing in "Additional details" section. May not be related to CSP. Seems to a problem server side or in the database

[6] No tab for the viewer, maybe a database problem

[7]

Content Security Policy: The page's settings blocked the loading of a resource at https://hypothes.is/app.html#config=%7B%22appType%22%3Anull%2C%22annotations%22%3Anull%2C%22branding%22%3Anull%2C%22enableExperimentalNewNoteButton%22%3Anull%2C%22externalContainerSelector%22%3Anull%2C%22focus%22%3Anull%2C%22group%22%3Anull%2C%22onLayoutChange%22%3Anull%2C%22openSidebar%22%3Afalse%2C%22query%22%3Anull%2C%22requestConfigFromFrame%22%3Anull%2C%22services%22%3Anull%2C%22showHighlights%22%3A%22always%22%2C%22theme%22%3Anull%2C%22usernameUrl%22%3Anull%7D ("frame-src").

[rija]

I'll redeploy using the freshest backup of production database to see if that eliminates [5] and [6] and make the real CSP browser error to show up

[rija]

external_link_type_id	name	example DOI	status on Forks	status on staging.gigadb.org
2	Genome browser	101001	OK	?
3	Protocols.io	101053	No [1]	?
4	JBrowse	100644	No [2]	?
5	3D Models	100294	No [3]	?
6	Code Ocean	100909	No [4]	?
7	Github links	100935	No [5]	?
8	USCS Tumour Map Viewer	100781	No [6]	?
n/a	Hypothesis	100761	No [7]	?

[1]

Content Security Policy: The page's settings blocked the loading of a resource at https://www.protocols.io/widgets/protocol/gene-modeling-and-prediction-rf7d3rn ("frame-src").

[2]

Content Security Policy: The page's settings blocked the loading of a resource at https://www.rosaceae.org/jbrowse/index.html?data=data%2Fpyrus%2Fpcommunis_v2.0&loc=Chr1%3A8630732..12945136&tracks=DNA&highlight= ("frame-src").

the url will differ from dataset to dataset. For example for DI 100606, it will be

Content Security Policy: The page's settings blocked the loading of a resource at http://parrot.genomics.cn/index.html?data=100606 ("frame-src").

That's actually the most common url used for jbrowse links

[3]

Content Security Policy: The page's settings blocked the loading of a resource at https://sketchfab.com/models/8bf1b1daf5fa478ca2c8028d5c59b5ec/embed ("frame-src"). 2

[4]

Content Security Policy: The page's settings blocked the loading of a resource at https://codeocean.com/algo.html?algorithmSlug=6833685 ("frame-src"). 2

[5] GitHub links sections not appearing in "Additional details" section. Not related to CSP, so I will ignore it for the purpose of this task

[6]

Content Security Policy: The page's settings blocked the loading of a resource at https://codeocean.com/algo.html?algorithmSlug=7759384 ("frame-src").
Content Security Policy: The page's settings blocked the loading of a resource at https://codeocean.com/algo.html?algorithmSlug=6833685 ("frame-src").

[7]

Content Security Policy: The page's settings blocked the loading of a resource at https://hypothes.is/app.html#config=%7B%22appType%22%3Anull%2C%22annotations%22%3Anull%2C%22branding%22%3Anull%2C%22enableExperimentalNewNoteButton%22%3Anull%2C%22externalContainerSelector%22%3Anull%2C%22focus%22%3Anull%2C%22group%22%3Anull%2C%22onLayoutChange%22%3Anull%2C%22openSidebar%22%3Afalse%2C%22query%22%3Anull%2C%22requestConfigFromFrame%22%3Anull%2C%22services%22%3Anull%2C%22showHighlights%22%3A%22always%22%2C%22theme%22%3Anull%2C%22usernameUrl%22%3Anull%7D ("frame-src").

[rija]

Update to the table

external_link_type_id	name	example DOI	status on Forks
2	Genome browser	101001	OK
3	Protocols.io	101053	Ok
4	JBrowse	100644	Ok
5	3D Models	100294	Ok
6	Code Ocean	100909	Ok
7	Github links	100935	No [1]
8	USCS Tumour Map Viewer	100781	No [2]
n/a	Hypothesis	100761	Ok

The type 7 and 8 are failure not because of CSP but because of difference between CNGB code and dev team code: [1] See #855 [2] See #856