Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SPA implementation - CSP #2875

Closed
1 task
laurenb33 opened this issue Jun 26, 2024 · 18 comments
Closed
1 task

SPA implementation - CSP #2875

laurenb33 opened this issue Jun 26, 2024 · 18 comments
Assignees

Comments

@laurenb33
Copy link
Collaborator

laurenb33 commented Jun 26, 2024

Per the Yale's Info Security team, we need to enable a Content Security Policy for DCS. Our extension to do this is until December 2024. The DCS SPA report is in the our Team channel. See related tickets ##2838 #2833

@K8Sewell has kindly answered the following questions about enabling a CSP for DCS:

What steps would be to be taken to enable a CSP for DCS?
Enable CSP settings in config/initializers/content_security_policy.rb
Add trusted resources to allowlist to resolve browser alerts
Address inline code by doing one of the following:
Move all inline code and inline styles to a file.
Move the code to a tag and get its hash key.
Use a 'nonce' tag attribute and add it to the corresponding tag.

Files w/ <script> tag:
Management - 1
Blacklight - 6
source

How do we turn on the CSP without breaking the inline javascript?
There is a setting to enable a reporting only functionality. However, once CSP is enabled it will break all inline javascript. Enabling this report only operation should only take 30 minutes to 2 hours.

Acceptance:

  • Enable a CSP for DCS
@K8Sewell
Copy link

K8Sewell commented Oct 7, 2024

In progress PR - yalelibrary/yul-dc-management#1445

@jpengst jpengst self-assigned this Nov 8, 2024
@K8Sewell
Copy link

K8Sewell commented Nov 11, 2024

In progress notes:

  • Enable CSP settings in config/initializers/content_security_policy.rb
  • set up to run in staging and production env - not dev - done but commented out during development
  • add header exceptions for testing and finding sources
  • manually search production site for tags - to identify all necessary trusted sources

Blacklight:

  • script
  • img
  • style
  • object
  • font

Management:

  • script
  • img
  • style
  • object
  • font

  • add nonces for exceptions - done but commented out until steps above complete
  • address glyph box error - see details below

downloadable font: Glyph bbox was incorrect - downloadable font: Glyph bbox was incorrect (glyph ids 68 146 262 293) (font-family: "YaleNew-Roman" style:normal weight:400 stretch:100 src index:1) source: https://static.library.yale.edu/fonts/yalenew/YaleNew-normal-normal/yalenew-roman-webfont.woff2

@jpengst
Copy link
Collaborator

jpengst commented Nov 15, 2024

Blacklight PR: yalelibrary/yul-dc-blacklight#1073
Management PR: yalelibrary/yul-dc-management#1445

@K8Sewell
Copy link

Deployed to Test with management release v2.73.0 and blacklight release v1.65.1

@K8Sewell
Copy link

Taking back to In Progress.

Notes from Testing:

On management we are getting cross origin errors for our fonts that should be addressed. The javascript is acting as intended and there are no errors with the inline scripts.

On blacklight we are also getting CORS errors for our fonts as well as numerous errors for the style and script tags. Additionally, we need to add the image for the banner to the trusted list and fix the inline scripts.

Management

Image

Image

Image

Blacklight

Image

Image

Image

Image

Image

@K8Sewell
Copy link

K8Sewell commented Nov 20, 2024

Notice

The CSP policies are included in release v2.72.9 for management and v1.65.1. We will need to not move to these higher versions for a production deploy until the errors are resolved or those changes are reverted.

Next steps from standup [ 20.11.2024 ]

@jpengst
Copy link
Collaborator

jpengst commented Dec 4, 2024

Management PR: yalelibrary/yul-dc-management#1462

@K8Sewell
Copy link

K8Sewell commented Dec 6, 2024

PR ready for review - yalelibrary/yul-dc-blacklight#1075 * this is currently deployed to the Test environment for investigation

@K8Sewell
Copy link

K8Sewell commented Dec 6, 2024

PR ready for review - yalelibrary/yul-dc-management#1465 * this is also deployed to Test environment for easier review

@K8Sewell
Copy link

K8Sewell commented Dec 6, 2024

Deployed to Test with release v2.73.4 & v1.65.2

@K8Sewell
Copy link

K8Sewell commented Dec 6, 2024

Blacklight - looks good, JS responding as expected, but some in line styles have errors still.

Image

Management - JS not working on permission request show/edit page. Taking back to in progress.

Image

@K8Sewell
Copy link

K8Sewell commented Dec 6, 2024

@K8Sewell
Copy link

K8Sewell commented Dec 9, 2024

Deployed to Test with releases v2.73.5 and v1.65.3

@K8Sewell
Copy link

K8Sewell commented Dec 9, 2024

Taking back to in progress to fix smoke tests. Created separate ticket to address the smoke test's ability to rollback to a prior deploy is not working great. #2979

Image

@K8Sewell
Copy link

Redeployed to Test after restarting solr container and smoke tests passed. Manual testing of JS and styles looks good. Will promote to UAT.

@K8Sewell
Copy link

UAT has behavior that Test does not. It autoselects the No option on the Permission Request show/edit page and that makes the inline JS not work properly. Blacklight looks good, all the styles and JS are working as expected. Taking back to in progress to fix up the auto selection of the No option for managment.

Image

@jpengst
Copy link
Collaborator

jpengst commented Dec 13, 2024

No additional changes needed. UAT is behaving as expected:
Image

@jillpe jillpe closed this as completed Dec 13, 2024
@laurenb33
Copy link
Collaborator Author

SPA Exception Extended until January 31, 2025 :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants