search

stolostron / grc-ui

Apache License 2.0
0 stars 17 forks source link

[release-2.4] Add `script-src: 'unsafe-eval'` to CSP #905

Closed dhaiducek closed 2 years ago

dhaiducek commented 2 years ago

Addresses:

The culprit is a compile call by Handlebars in the wizard. One solution is to precompile the template but since it's a wizard we need the YAML to dynamically be recompiled, so updating the CSP does seem to be the solution.

This PR matches a similar update in console:

Other fields in the console PR match the defaults provided by helmet. (See helmet.contentSecurityPolicy(options) at https://helmetjs.github.io/). The resulting CSP after the change:

Content-Security-Policy:
  script-src  'self' 'unsafe-eval';
  default-src 'self';
  base-uri  'self';
  block-all-mixed-content;
  font-src 'self' https:  data:;
  frame-ancestors 'self';
  img-src 'self' data:;
  object-src  'none';
  script-src-attr 'none';
  style-src 'self' https:  'unsafe-inline';
  upgrade-insecure-requests"

This also updates caniuse-lite, which is appearing in the logs and is a minor version update.

gparvin commented 2 years ago

/hold It looks good to me, holding in case you want Alex to double check it.

sonarcloud[bot] commented 2 years ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

dhaiducek commented 2 years ago

The CI is passing now--this PR is ready for (re)review.

openshift-ci[bot] commented 2 years ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dhaiducek, gparvin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/stolostron/grc-ui/blob/release-2.4/OWNERS)~~ [dhaiducek,gparvin] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
dhaiducek commented 2 years ago

We use the latest Chrome version, so this should be CI validation that the new code is working since it failed for QE on v105 also:

  ┌────────────────────────────────────────────────────────────────────────────────────────────────┐
  │ Cypress:        8.5.0                                                                          │
  │ Browser:        Chrome 105 (headless)                                                          │
dhaiducek commented 2 years ago

/unhold