Open twrichards opened 3 months ago
In the process I've removed https://accounts.google.com from the frame-src portion (added in https://github.com/guardian/grid/commit/bcdcb2e7125ce8a20fd292a2d58a2bc6b3e4b2ae) since I can't see how it would be used (although @andrew-nowak might have an idea).
this is necessary at least for the guardian for panda-session to create the iframe to relog users in after their panda cookie expires, as the reauth will include a redirect through accounts.google.com in that iframe
you can test by running in your browser console document.cookie = 'panda-forceExpiry=1;domain=.test.dev-gutools.co.uk'
then waiting for the next auto-refresh of the search page
re-tested on TEST
after some tweaks, ready for re-review ๐
NOTE:
I've moved the https://accounts.google.com
into the security.frameSources
config property in kahuna.conf
in response to...
In the process I've removed accounts.google.com from the frame-src portion (added in bcdcb2e) since I can't see how it would be used (although @andrew-nowak might have an idea).
this is necessary at least for the guardian for panda-session to create the iframe to relog users in after their panda cookie expires, as the reauth will include a redirect through accounts.google.com in that iframe
@AndyKilmory noticed that there were a few things hardcoded into our CSP which we decided ought to be coming from config.
For example youtube.com (introduced in https://github.com/guardian/grid/pull/4127) is specific to a guardian add-on (https://github.com/guardian/pinboard) which is added via the
scriptsToLoad
config, so this PR extends theScriptToLoad
case class to representadditionalFrameSourcesForCSP
andadditionalImageSourcesForCSP
(to replace another hard coded pinboard thing, which makes avatars work).In the process I've removed
https://accounts.google.com
from theframe-src
portion (added in https://github.com/guardian/grid/commit/bcdcb2e7125ce8a20fd292a2d58a2bc6b3e4b2ae) since I can't see how it would be used (although @andrew-nowak might have an idea).TEST
config uploadedTEST
โ ๐PROD
config uploaded