K8Sewell
commented
3 weeks ago What steps would be to be taken to enable a CSP for DCS?
- Enable CSP settings in config/initializers/content_security_policy.rb
- Add trusted resources to allowlist to resolve browser alerts
- Address inline code by doing one of the following:
- Move all inline code and inline styles to a file.
- Move the code to a tag and get its hash key.
- Use a 'nonce' tag attribute and add it to the corresponding tag.
- Files w/
<script>tag:- Management - 1
- Blacklight - 6
- Files w/
How long would it take for this type of configuration to be enabled?
4 to 12 hours
How do we turn on the CSP without breaking the inline javascript?
There is a setting to enable a reporting only functionality. However, once CSP is enabled it will break all inline javascript. Enabling this report only operation should only take 30 minutes to 2 hours.
For the CSP SPA exception, we need to conduct some research about implementing a CSP for DCS. Here are some questions to start the investigation:
-What steps would be to be taken to enable a CSP for DCS? -How long would it take for this type of configuration to be enabled? -How do we turn on the CSP without breaking the inline javascript?