-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPA implementation - CSP #2875
Comments
In progress PR - yalelibrary/yul-dc-management#1445 |
In progress notes:
Blacklight:
Management:
downloadable font: Glyph bbox was incorrect - downloadable font: Glyph bbox was incorrect (glyph ids 68 146 262 293) (font-family: "YaleNew-Roman" style:normal weight:400 stretch:100 src index:1) source: https://static.library.yale.edu/fonts/yalenew/YaleNew-normal-normal/yalenew-roman-webfont.woff2 |
Blacklight PR: yalelibrary/yul-dc-blacklight#1073 |
Taking back to In Progress. Notes from Testing: On management we are getting cross origin errors for our fonts that should be addressed. The javascript is acting as intended and there are no errors with the inline scripts. On blacklight we are also getting CORS errors for our fonts as well as numerous errors for the style and script tags. Additionally, we need to add the image for the banner to the trusted list and fix the inline scripts. |
NoticeThe CSP policies are included in release v2.72.9 for management and v1.65.1. We will need to not move to these higher versions for a production deploy until the errors are resolved or those changes are reverted. Next steps from standup [ 20.11.2024 ]
|
Management PR: yalelibrary/yul-dc-management#1462 |
PR ready for review - yalelibrary/yul-dc-blacklight#1075 * this is currently deployed to the Test environment for investigation |
PR ready for review - yalelibrary/yul-dc-management#1465 * this is also deployed to Test environment for easier review |
PRs ready for review: yalelibrary/yul-dc-blacklight#1076 |
Taking back to in progress to fix smoke tests. Created separate ticket to address the smoke test's ability to rollback to a prior deploy is not working great. #2979 |
Redeployed to Test after restarting solr container and smoke tests passed. Manual testing of JS and styles looks good. Will promote to UAT. |
SPA Exception Extended until January 31, 2025 :) |
Per the Yale's Info Security team, we need to enable a Content Security Policy for DCS. Our extension to do this is until December 2024. The DCS SPA report is in the our Team channel. See related tickets ##2838 #2833
@K8Sewell has kindly answered the following questions about enabling a CSP for DCS:
What steps would be to be taken to enable a CSP for DCS?
Enable CSP settings in config/initializers/content_security_policy.rb
Add trusted resources to allowlist to resolve browser alerts
Address inline code by doing one of the following:
Move all inline code and inline styles to a file.
Move the code to a tag and get its hash key.
Use a 'nonce' tag attribute and add it to the corresponding tag.
Files w/ <script> tag:
Management - 1
Blacklight - 6
source
How do we turn on the CSP without breaking the inline javascript?
There is a setting to enable a reporting only functionality. However, once CSP is enabled it will break all inline javascript. Enabling this report only operation should only take 30 minutes to 2 hours.
Acceptance:
The text was updated successfully, but these errors were encountered: