Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSP: Remove unsafe-eval & unsafe-inline from script-src #14831

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

robhudson
Copy link
Member

@robhudson robhudson commented Jul 15, 2024

One-line summary

Remove unsafe-eval & unsafe-inline from script-src

NOTE
This also changes webpack to use devtool: 'source-map' which may result in slightly slower build times. This is needed to satisfy the CSP requirements locally (not use eval) so devs can spot any breaking CSP being added. On my machine it was a negligible difference but I'd be interested to hear about other experiences.

Issue / Bugzilla link

#14828

Testing

I tested locally by clicking around with the console open looking for CSP violations, including the wagtail admin in my checks.

Copy link

codecov bot commented Jul 15, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.07%. Comparing base (8478feb) to head (f36d92e).

Additional details and impacted files
@@           Coverage Diff           @@
##             main   #14831   +/-   ##
=======================================
  Coverage   79.06%   79.07%           
=======================================
  Files         160      160           
  Lines        8355     8357    +2     
=======================================
+ Hits         6606     6608    +2     
  Misses       1749     1749           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@robhudson robhudson force-pushed the fix-14828-style-src-unsafe branch from 688dddc to 517bdc4 Compare July 15, 2024 23:46
@alexgibson
Copy link
Member

Thanks for taking a look at this one @robhudson! It would really be great to make these improvements.

One area that might be worth investigating is GA4. In particular, I see in their CSP docs there is mention of needing 'unsafe-eval' if we use any custom JavaScript variables.

I might be mistaken (and maybe @stephaniehobson can confirm?), but we might use a couple still that need removing:

@stephaniehobson
Copy link
Contributor

stephaniehobson commented Jul 22, 2024

Yeah, we are still using those but they can be removed now that GA3 is gone. We just have to make some changes bedrock side first.

@robhudson
Copy link
Member Author

This updates the PR to only remove these from the report-only policy so we can see how it does there and we should get CSP reports in sentry, but it won't break anything since it's not enforced.

@alexgibson alexgibson added Backend Server stuff yo Frontend HTML, CSS, JS... client side stuff labels Jul 29, 2024
@janbrasna
Copy link
Contributor

The GTM changes are published now:

Does that mean eval() is no longer needed for GA and this can move forward?

@stephaniehobson
Copy link
Contributor

Confirmed: we're no long using any custom javascript variables in GTM.

Copy link
Contributor

@stephaniehobson stephaniehobson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

R+ 📜

@stephaniehobson
Copy link
Contributor

@robhudson I've approved this but I'll leave it to you to merge in case it's gotten too stale.

@robhudson
Copy link
Member Author

It's a little stale. I need to refresh my context around it, esp with the webpack bit. I'll be doing more stuff around CSP next week.

@janbrasna
Copy link
Contributor

janbrasna commented Nov 22, 2024

So that's unsafe-eval ✅ — the docs also mention unsafe-inline for loading the container, that I feel is worked around here by the bespoke gtm-snippet.js:

GTMSnippet.loadSnippet = () => {
if (GTM_CONTAINER_ID) {
// prettier-ignore
(function(w,d,s,l,i,j,f,dl,k,q){
w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});f=d.getElementsByTagName(s)[0];
k=i.length;q='//www.googletagmanager.com/gtm.js?id=@&l='+(l||'dataLayer');
while(k--){j=d.createElement(s);j.async=!0;j.src=q.replace('@',i[k]);f.parentNode.insertBefore(j,f);}
}(window,document,'script','dataLayer',[GTM_CONTAINER_ID]));
}
};

that will hopefully be sufficient (they pass the nonces normally, making it feel like they then drop more inline JS from their code…) so we'll see in the RO violations if there's some spaghetti coming from the loaded sources.


The webpack (re)build performance for different devtool settings for source mapping is described in more depth here:

The only question is whether this doesn't wholesale add source maps also to prod outputs?

This tightens the CSP for the report-only policy. If all looks good we can migrate to the enforced policy.

This also adds exceptions for the wagtail admin.

fix formatting
This is to avoid CSP 'unsafe-eval' errors.
@robhudson robhudson force-pushed the fix-14828-style-src-unsafe branch from 0951a6f to f36d92e Compare December 17, 2024 16:58
@robhudson robhudson requested review from a team as code owners December 17, 2024 16:58
@robhudson
Copy link
Member Author

Rebased. It sounds like this is good to go for testing in report-only mode. Just wanting to confirm.

Copy link
Contributor

@janbrasna janbrasna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the source mapping change may actually impact production outputs, so good the FE codeowners @mozilla/bedrock-codeowners-frontend got pinged for review, to perhaps advise what to do with the devtool in webpack settings:

@@ -45,6 +45,7 @@ module.exports = {
path: path.resolve(__dirname, 'assets/'),
publicPath: '/media/'
},
devtool: 'source-map',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this was omitted, it used some cheap-*/eval values by default for dev, and none in prod. However if this is now set unconditionally, I think this will start generating maps for prod builds and adding map source comment trailers to all the entrypoints etc. — so my gut feeling is it may need dev-only guardrails similar to:

Suggested change
devtool: 'source-map',
devtool: env.production ? false : 'source-map',

(I'm not sure how precisely is the env mode exposed here, as they come from crossenv, DefinePlugin etc. so this is merely a pseudo-code TBH…)

Perhaps another approach is turning off source mapping completely? Is anyone using it in local dev? I will probably open a separate ticket to get some 👀 eyes to the issue.

CMS_ADMIN_CSP_RO = _override_csp(
CONTENT_SECURITY_POLICY_REPORT_ONLY,
append={"script-src": [csp.constants.UNSAFE_INLINE]},
replace={"frame-ancestors": [csp.constants.SELF]},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(FYI this moved recently, so will need a rebase and a tweak…)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Backend Server stuff yo Frontend HTML, CSS, JS... client side stuff
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants