replace some hard coded clauses of the Content-Security-Policy with config

guardian / grid

The Guardian’s image management system

https://www.theguardian.com/info/developer-blog/2015/aug/12/open-sourcing-grid-image-service

Apache License 2.0

1.43k stars 119 forks source link

replace some hard coded clauses of the Content-Security-Policy with config #4255

Open twrichards opened 3 months ago

twrichards commented 3 months ago

@AndyKilmory noticed that there were a few things hardcoded into our CSP which we decided ought to be coming from config.

For example youtube.com (introduced in https://github.com/guardian/grid/pull/4127) is specific to a guardian add-on (https://github.com/guardian/pinboard) which is added via the scriptsToLoad config, so this PR extends the ScriptToLoad case class to represent additionalFrameSourcesForCSP and additionalImageSourcesForCSP (to replace another hard coded pinboard thing, which makes avatars work).

In the process I've removed https://accounts.google.com from the frame-src portion (added in https://github.com/guardian/grid/commit/bcdcb2e7125ce8a20fd292a2d58a2bc6b3e4b2ae) since I can't see how it would be used (although @andrew-nowak might have an idea).

[x] updated TEST config uploaded
[x] tested in TEST ✅ 🎉
[x] updated PROD config uploaded

github-actions[bot] commented 3 months ago

Deploy build 12370 to TEST

All deployment options

- [Deploy build 12370 to TEST](https://riffraff.gutools.co.uk/deployment/deployAgain?project=media-service%3A%3Agrid%3A%3Aall&build=12370&stage=TEST&updateStrategy=MostlyHarmless&action=deploy) - [Deploy parts of build 12370 to TEST by previewing it first](https://riffraff.gutools.co.uk/preview/yaml?project=media-service%3A%3Agrid%3A%3Aall&build=12370&stage=TEST&updateStrategy=MostlyHarmless)

From guardian/actions-riff-raff.

andrew-nowak commented 3 months ago

In the process I've removed https://accounts.google.com from the frame-src portion (added in https://github.com/guardian/grid/commit/bcdcb2e7125ce8a20fd292a2d58a2bc6b3e4b2ae) since I can't see how it would be used (although @andrew-nowak might have an idea).

this is necessary at least for the guardian for panda-session to create the iframe to relog users in after their panda cookie expires, as the reauth will include a redirect through accounts.google.com in that iframe

you can test by running in your browser console document.cookie = 'panda-forceExpiry=1;domain=.test.dev-gutools.co.uk' then waiting for the next auto-refresh of the search page

twrichards commented 2 months ago

re-tested on TEST after some tweaks, ready for re-review 🙏

NOTE: I've moved the https://accounts.google.com into the security.frameSources config property in kahuna.conf in response to...

In the process I've removed accounts.google.com from the frame-src portion (added in bcdcb2e) since I can't see how it would be used (although @andrew-nowak might have an idea).

this is necessary at least for the guardian for panda-session to create the iframe to relog users in after their panda cookie expires, as the reauth will include a redirect through accounts.google.com in that iframe