Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#4205] Allow any form-action CSP #4223

Merged
merged 3 commits into from
May 8, 2024
Merged

[#4205] Allow any form-action CSP #4223

merged 3 commits into from
May 8, 2024

Conversation

Viicos
Copy link
Contributor

@Viicos Viicos commented Apr 24, 2024
edited
Loading

Fixes #4205.

I'm wondering if it makes sense to keep the ADDITIONAL_CSP_VALUES hardcoded values?

@Viicos Viicos requested a review from joeribekker April 24, 2024 10:29
@alextreme alextreme mentioned this pull request Apr 24, 2024
Closed
@Viicos Viicos removed the request for review from joeribekker April 29, 2024 13:44
Viicos
Viicos commented Apr 29, 2024
View reviewed changes
src/openforms/conf/base.py Outdated Show resolved Hide resolved
@codecov Codecov
Copy link

codecov bot commented Apr 29, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.12%. Comparing base (fefada5) to head (72ea3e7).
Report is 17 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4223      +/-   ##
==========================================
- Coverage   96.13%   96.12%   -0.02%     
==========================================
  Files         733      729       -4     
  Lines       23538    23491      -47     
  Branches     2760     2757       -3     
==========================================
- Hits        22629    22580      -49     
- Misses        642      645       +3     
+ Partials      267      266       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Viicos
Viicos commented Apr 30, 2024
View reviewed changes
src/openforms/conf/base.py Outdated Show resolved Hide resolved
sergei-maertens
sergei-maertens reviewed May 1, 2024
View reviewed changes
Copy link
Member

@sergei-maertens sergei-maertens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm okay with this changeset, but I also think we can/should revert the mechanism then that digid/eherkenning/ogone add extra CSP items in the database, since realistically, that will all be covered by the https: directive...

src/openforms/conf/base.py Outdated Show resolved Hide resolved
src/openforms/conf/base.py Show resolved Hide resolved
@sergei-maertens
Copy link
Member

Discussed with Joeri - we can remove the DigiD/eHerkenning/OgoneMerchant mechanism that updates the form-action CSP directive records, it's obsoleted by the setting changes.

sergei-maertens
sergei-maertens reviewed May 6, 2024
View reviewed changes
Copy link
Member

@sergei-maertens sergei-maertens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Ogone Merchant CSP update can also be removed :)

@Viicos Viicos force-pushed the issue/4205-csp branch from 127eb36 to d576da1 Compare May 6, 2024 12:56
@Viicos Viicos force-pushed the issue/4205-csp branch from d576da1 to 851b5c5 Compare May 6, 2024 15:09
@Viicos
[#4205] Remove support for form-action CSP directive creation
3c00366 
As we now allow `https:`, there's no need to whitelist specific
URLs from the configuration models (DigiD/eHerkenning)
@Viicos Viicos force-pushed the issue/4205-csp branch from 851b5c5 to 3c00366 Compare May 7, 2024 10:37
@sergei-maertens sergei-maertens added the needs-backport Fix must be backported to stable release branch label May 8, 2024
@sergei-maertens sergei-maertens merged commit 1df0654 into master May 8, 2024
26 of 27 checks passed
@sergei-maertens sergei-maertens deleted the issue/4205-csp branch May 8, 2024 07:15
sergei-maertens pushed a commit that referenced this pull request May 8, 2024
@Viicos @sergei-maertens
[#4205] Allow any https: scheme for CSP form-action directive
62e0a9d 
Backport-of: #4223
sergei-maertens pushed a commit that referenced this pull request May 8, 2024
@Viicos @sergei-maertens
[#4205] Allow any https: scheme for CSP form-action directive
6c7abc4 
Backport-of: #4223
sergei-maertens pushed a commit that referenced this pull request May 8, 2024
@Viicos @sergei-maertens
[#4205] Allow any https: scheme for CSP form-action directive
1b2775b 
Backport-of: #4223
@sergei-maertens
Copy link
Member

Backports:

@Viicos Viicos changed the title [#4205] Add more entries to form-action CSP [#4205] Allow any form-action CSP May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergei-maertens sergei-maertens sergei-maertens left review comments

Assignees
No one assigned
Labels
needs-backport Fix must be backported to stable release branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

eHerkenning users with active eHerkenning session blocked by form-action CSP rules.
2 participants
@Viicos @sergei-maertens