SPA implementation - CSP #2875
Comments
|
In progress PR - yalelibrary/yul-dc-management#1445 |
|
In progress notes:
Blacklight:
Management:
downloadable font: Glyph bbox was incorrect - downloadable font: Glyph bbox was incorrect (glyph ids 68 146 262 293) (font-family: "YaleNew-Roman" style:normal weight:400 stretch:100 src index:1) source: https://static.library.yale.edu/fonts/yalenew/YaleNew-normal-normal/yalenew-roman-webfont.woff2 |
|
Blacklight PR: yalelibrary/yul-dc-blacklight#1073 |
|
Taking back to In Progress. Notes from Testing: On management we are getting cross origin errors for our fonts that should be addressed. The javascript is acting as intended and there are no errors with the inline scripts. On blacklight we are also getting CORS errors for our fonts as well as numerous errors for the style and script tags. Additionally, we need to add the image for the banner to the trusted list and fix the inline scripts. Management
Blacklight
|
NoticeThe CSP policies are included in release v2.72.9 for management and v1.65.1. We will need to not move to these higher versions for a production deploy until the errors are resolved or those changes are reverted. Next steps from standup [ 20.11.2024 ]
|
|
Management PR: yalelibrary/yul-dc-management#1462 |
|
PR ready for review - yalelibrary/yul-dc-blacklight#1075 * this is currently deployed to the Test environment for investigation |
|
PR ready for review - yalelibrary/yul-dc-management#1465 * this is also deployed to Test environment for easier review |
|
Blacklight - looks good, JS responding as expected, but some in line styles have errors still.
Management - JS not working on permission request show/edit page. Taking back to in progress.
|
|
PRs ready for review: yalelibrary/yul-dc-blacklight#1076 |
|
Taking back to in progress to fix smoke tests. Created separate ticket to address the smoke test's ability to rollback to a prior deploy is not working great. #2979
|
|
Redeployed to Test after restarting solr container and smoke tests passed. Manual testing of JS and styles looks good. Will promote to UAT. |
|
UAT has behavior that Test does not. It autoselects the No option on the Permission Request show/edit page and that makes the inline JS not work properly. Blacklight looks good, all the styles and JS are working as expected. Taking back to in progress to fix up the auto selection of the No option for managment. 
|
|
No additional changes needed. UAT is behaving as expected: |
|
SPA Exception Extended until January 31, 2025 :) |
Per the Yale's Info Security team, we need to enable a Content Security Policy for DCS. Our extension to do this is until December 2024. The DCS SPA report is in the our Team channel. See related tickets ##2838 #2833
@K8Sewell has kindly answered the following questions about enabling a CSP for DCS:
What steps would be to be taken to enable a CSP for DCS?
Enable CSP settings in config/initializers/content_security_policy.rb
Add trusted resources to allowlist to resolve browser alerts
Address inline code by doing one of the following:
Move all inline code and inline styles to a file.
Move the code to a tag and get its hash key.
Use a 'nonce' tag attribute and add it to the corresponding tag.
Files w/ <script> tag:
Management - 1
Blacklight - 6
source
How do we turn on the CSP without breaking the inline javascript?
There is a setting to enable a reporting only functionality. However, once CSP is enabled it will break all inline javascript. Enabling this report only operation should only take 30 minutes to 2 hours.
Acceptance:
The text was updated successfully, but these errors were encountered: