Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add CKAN_DOMAIN to the CSP on previews
Some organograms are hosted on ckan.publishing.service.gov.uk, instead of s3-eu-west-1.amazonaws.com. The previews for these organograms are currently broken because the content security policy prevents the JavaScript from dowloading the files from the CKAN domain. I confirmed that the CSP was the only issue by disabling CSP in my brower (using a plugin) and confirming that the broken previews worked correctly. Since the CSP already permits all of S3 eu-west-1 in the connect_src, adding CKAN to the CSP feels like a very small piece of extra security attack surface. And it should be a quick way to fix the bug where some organogram previews don't show up. I tried to add a test for this, but rails controller tests don't execute enough of the stack for the SecureHeaders gem to do its thing and set the CSP header. It might be possible to test with a feature test, but that feels like overkill.
- Loading branch information