[CPDNPQ-2485] make content security policy more secure #2170

alkesh · 2025-02-03T15:21:46Z

Context

Ticket: https://dfedigital.atlassian.net/browse/CPDNPQ-2485

Current CSP needs improvements:

remove unsafe-inline and unsafe-eval for scripts
replace use of <script> with nonced_javascript_tag in the views
remove unsafe-inline for styles
change report_uri to report to sentry
remove CSP reports controller and route
fix javascript console error that was only occurring on separation admin (every page)

⚠️ deploy to the review app is failing on this branch ⚠️

github-actions · 2025-02-03T15:40:34Z

Review app deployed to https://npq-registration-review-2170-web.test.teacherservices.cloud/

sonarqubecloud · 2025-02-05T10:54:29Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

alkesh changed the title ~~[CPDNPQ-2485] make content security policy more secuire~~ [CPDNPQ-2485] make content security policy more secure Feb 3, 2025

alkesh force-pushed the CPDNPQ-2485-content-security-policy branch 2 times, most recently from 1cd52cc to 496e79c Compare February 3, 2025 15:32

alkesh temporarily deployed to review February 3, 2025 15:35 — with GitHub Actions Inactive

alkesh temporarily deployed to staging February 3, 2025 15:38 — with GitHub Actions Inactive

alkesh temporarily deployed to review February 4, 2025 09:47 — with GitHub Actions Inactive

alkesh temporarily deployed to staging February 4, 2025 09:49 — with GitHub Actions Inactive

alkesh force-pushed the CPDNPQ-2485-content-security-policy branch from 6d4b563 to 9e3e1a9 Compare February 4, 2025 10:00

alkesh had a problem deploying to staging February 4, 2025 11:05 — with GitHub Actions Failure

alkesh force-pushed the CPDNPQ-2485-content-security-policy branch from 83fa9c0 to b164ffd Compare February 4, 2025 11:28

alkesh temporarily deployed to review February 4, 2025 11:31 — with GitHub Actions Inactive

alkesh temporarily deployed to staging February 4, 2025 11:34 — with GitHub Actions Inactive

alkesh temporarily deployed to review February 4, 2025 12:02 — with GitHub Actions Inactive

alkesh temporarily deployed to review February 4, 2025 12:16 — with GitHub Actions Inactive

alkesh force-pushed the CPDNPQ-2485-content-security-policy branch from b164ffd to ed19f0d Compare February 4, 2025 14:22

alkesh had a problem deploying to review February 4, 2025 14:26 — with GitHub Actions Failure

alkesh force-pushed the CPDNPQ-2485-content-security-policy branch from ed19f0d to 931bafb Compare February 4, 2025 14:49

alkesh had a problem deploying to review February 4, 2025 14:53 — with GitHub Actions Failure

alkesh temporarily deployed to staging February 4, 2025 14:55 — with GitHub Actions Inactive

alkesh had a problem deploying to review February 4, 2025 15:09 — with GitHub Actions Failure

alkesh added 2 commits February 4, 2025 15:22

make content security policy more secure

3b9c7df

remove csp_reports route and controller

5fb6ca6

alkesh force-pushed the CPDNPQ-2485-content-security-policy branch from 931bafb to f20b641 Compare February 4, 2025 15:22

alkesh had a problem deploying to review February 4, 2025 15:25 — with GitHub Actions Failure

alkesh temporarily deployed to staging February 4, 2025 15:29 — with GitHub Actions Inactive

alkesh closed this Feb 4, 2025

alkesh temporarily deployed to review February 4, 2025 15:41 — with GitHub Actions Inactive

alkesh reopened this Feb 4, 2025

alkesh had a problem deploying to review February 4, 2025 15:44 — with GitHub Actions Failure

alkesh temporarily deployed to staging February 4, 2025 15:49 — with GitHub Actions Inactive

alkesh had a problem deploying to review February 4, 2025 16:02 — with GitHub Actions Failure

use nonced_javascript_tag instead of script tags

c4fb6e6

alkesh force-pushed the CPDNPQ-2485-content-security-policy branch from f20b641 to c4fb6e6 Compare February 4, 2025 17:01

alkesh had a problem deploying to review February 4, 2025 17:05 — with GitHub Actions Failure

alkesh had a problem deploying to review February 4, 2025 17:17 — with GitHub Actions Failure

alkesh temporarily deployed to staging February 4, 2025 17:22 — with GitHub Actions Inactive

alkesh had a problem deploying to review February 5, 2025 10:24 — with GitHub Actions Failure

allow unsafe-inline for flipper-ui

1a168bb

alkesh had a problem deploying to review February 5, 2025 10:49 — with GitHub Actions Failure

alkesh temporarily deployed to staging February 5, 2025 10:52 — with GitHub Actions Inactive

alkesh had a problem deploying to review February 5, 2025 11:43 — with GitHub Actions Failure

alkesh temporarily deployed to staging February 5, 2025 11:45 — with GitHub Actions Inactive

alkesh closed this Feb 5, 2025

alkesh temporarily deployed to review February 5, 2025 12:23 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CPDNPQ-2485] make content security policy more secure #2170

[CPDNPQ-2485] make content security policy more secure #2170

alkesh commented Feb 3, 2025 •

edited

Loading

github-actions bot commented Feb 3, 2025

sonarqubecloud bot commented Feb 5, 2025

[CPDNPQ-2485] make content security policy more secure #2170

[CPDNPQ-2485] make content security policy more secure #2170

Conversation

alkesh commented Feb 3, 2025 • edited Loading

Context

github-actions bot commented Feb 3, 2025

sonarqubecloud bot commented Feb 5, 2025

Quality Gate passed

alkesh commented Feb 3, 2025 •

edited

Loading