2238 document unsafe-inline exception

[jtimpe]

Summary of Changes

Pull request closes #2238 Pull request closes #2843

Upon further investigation, the following low priority findings no longer show up in our latest Webinspect scans

• HTML5: CORS Prolonged Caching of Preflight Response
• HTML5: CORS Unsafe Methods Allowed

I have removed the changes associated with those findings and instead only addressed the final one

• HTML5: Misconfigured Content Security Policy

Since our Kibana implementation requires being served behind a proxy, the unsafe-eval and unsafe-inline directives mentioned by the scan are required. I've included some documentation in ADR 16 to reflect this.

How to Test

List the steps to test the PR These steps are generic, please adjust as necessary.

cd tdrs-frontend && docker-compose -f docker-compose.yml -f docker-compose.local.yml up -d
cd tdrs-backend && docker-compose -f docker-compose.yml -f docker-compose.local.yml up -d 

1. Open http://localhost:3000/ and sign in.
2. Proceed with functional tests as described herein.
3. Test steps should be captured in the demo GIF(s) and/or screenshots below.

   Demo GIF(s) and screenshots for testing procedure

Deliverables

More details on how deliverables herein are assessed included here.

Deliverable 1: Accepted Features

Checklist of ACs:

• [x] ADR 16 updated to capture new scenarios where unsafe-* policies are in-use
• [x] ADR 16 updated to capture security scanning tools that are flagging unsafe-* policies
• [x] lfrohlich and/or adpennington confirmed that ACs are met.

Deliverable 2: Tested Code

• Are all areas of code introduced in this PR meaningfully tested?
  • [ ] If this PR introduces backend code changes, are they meaningfully tested?
  • [ ] If this PR introduces frontend code changes, are they meaningfully tested?
• Are code coverage minimums met?
  • [ ] Frontend coverage: [insert coverage %] (see CodeCov Report comment in PR)
  • [ ] Backend coverage: [insert coverage %] (see CodeCov Report comment in PR)

Deliverable 3: Properly Styled Code

• [ ] Are backend code style checks passing on CircleCI?
• [ ] Are frontend code style checks passing on CircleCI?
• [ ] Are code maintainability principles being followed?

Deliverable 4: Accessible

• [ ] Does this PR complete the epic?
• [ ] Are links included to any other gov-approved PRs associated with epic?
• [ ] Does PR include documentation for Raft's a11y review?
• [ ] Did automated and manual testing with iamjolly and ttran-hub using Accessibility Insights reveal any errors introduced in this PR?

Deliverable 5: Deployed

• [ ] Was the code successfully deployed via automated CircleCI process to development on Cloud.gov?

Deliverable 6: Documented

• [x] Does this PR provide background for why coding decisions were made?
• [ ] If this PR introduces backend code, is that code easy to understand and sufficiently documented, both inline and overall?
• [ ] If this PR introduces frontend code, is that code easy to understand and sufficiently documented, both inline and overall?
• [ ] If this PR introduces dependencies, are their licenses documented?
• [x] Can reviewer explain and take ownership of these elements presented in this code review?

Deliverable 7: Secure

• [ ] Does the OWASP Scan pass on CircleCI?
• [ ] Do manual code review and manual testing detect any new security issues?
• [ ] If new issues detected, is investigation and/or remediation plan documented?

Deliverable 8: User Research

Research product(s) clearly articulate(s):

• [ ] the purpose of the research
• [ ] methods used to conduct the research
• [ ] who participated in the research
• [ ] what was tested and how
• [ ] impact of research on TDP
• [ ] (if applicable) final design mockups produced for TDP development

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 93.11%. Comparing base (229c32c) to head (8b1b6a2). Report is 1 commits behind head on develop.

Additional details and impacted files

[](https://app.codecov.io/gh/raft-tech/TANF-app/pull/2941?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=raft-tech) ```diff @@ Coverage Diff @@ ## develop #2941 +/- ## ======================================== Coverage 93.11% 93.11% ======================================== Files 272 272 Lines 7055 7055 Branches 591 591 ======================================== Hits 6569 6569 Misses 392 392 Partials 94 94 ``` | [Flag](https://app.codecov.io/gh/raft-tech/TANF-app/pull/2941/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=raft-tech) | Coverage Δ | | |---|---|---| | [dev-backend](https://app.codecov.io/gh/raft-tech/TANF-app/pull/2941/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=raft-tech) | `93.19% <ø> (ø)` | | | [dev-frontend](https://app.codecov.io/gh/raft-tech/TANF-app/pull/2941/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=raft-tech) | `92.62% <ø> (ø)` | | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=raft-tech#carryforward-flags-in-the-pull-request-comment) to find out more. ------ [Continue to review full report in Codecov by Sentry](https://app.codecov.io/gh/raft-tech/TANF-app/pull/2941?dropdown=coverage&src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=raft-tech). > **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=raft-tech) > `Δ = absolute (impact)`, `ø = not affected`, `? = missing data` > Powered by [Codecov](https://app.codecov.io/gh/raft-tech/TANF-app/pull/2941?dropdown=coverage&src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=raft-tech). Last update [2729026...8b1b6a2](https://app.codecov.io/gh/raft-tech/TANF-app/pull/2941?dropdown=coverage&src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=raft-tech). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=raft-tech).

[raftmsohani]

changes needed:

1) need to make the frontend to load without unsafe-inline: see this https://github.com/facebook/create-react-app/issues/6643#issuecomment-473183280 2)

[raftmsohani]

UPDATE Apr 9th: To be able to have separate CSP header for the website and for Kibana, we will need to move the CSP header assignment to /location directive. The headers that are set in .conf file cannot be overwritten in /location directive and we can only add headers. There are two separate issues with this change:

1. TDRS website security: currently the frontend needs unsafe-inline directive in the CSP header both for style CSS files and for running .js file and finally for making axios requests. (there are a couple of solutions to this problem, but one is to separate css file into a static add and then add a token to other .js requests. This needs more investigation and work
2. For Kibana: there is no workaround to needed unsafe-inline tag. To reduce the risk, we can move this tag to the /kibana in the location file and remove the CSP header from .conf file.

[ADPennington]

per async on 5/10 with @jtimpe -- we agreed that this PR can also close #2843