-
Notifications
You must be signed in to change notification settings - Fork 919
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP: Remove unsafe-eval & unsafe-inline from script-src #14831
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #14831 +/- ##
=======================================
Coverage 79.06% 79.07%
=======================================
Files 160 160
Lines 8355 8357 +2
=======================================
+ Hits 6606 6608 +2
Misses 1749 1749 ☔ View full report in Codecov by Sentry. |
688dddc
to
517bdc4
Compare
Thanks for taking a look at this one @robhudson! It would really be great to make these improvements. One area that might be worth investigating is GA4. In particular, I see in their CSP docs there is mention of needing I might be mistaken (and maybe @stephaniehobson can confirm?), but we might use a couple still that need removing: |
Yeah, we are still using those but they can be removed now that GA3 is gone. We just have to make some changes bedrock side first. |
517bdc4
to
0951a6f
Compare
This updates the PR to only remove these from the report-only policy so we can see how it does there and we should get CSP reports in sentry, but it won't break anything since it's not enforced. |
The GTM changes are published now:
Does that mean eval() is no longer needed for GA and this can move forward? |
Confirmed: we're no long using any custom javascript variables in GTM. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
R+ 📜
@robhudson I've approved this but I'll leave it to you to merge in case it's gotten too stale. |
It's a little stale. I need to refresh my context around it, esp with the webpack bit. I'll be doing more stuff around CSP next week. |
So that's bedrock/media/js/base/gtm/gtm-snippet.es6.js Lines 25 to 34 in 9b5f2a3
that will hopefully be sufficient (they pass the nonces normally, making it feel like they then drop more inline JS from their code…) so we'll see in the RO violations if there's some spaghetti coming from the loaded sources. The webpack (re)build performance for different devtool settings for source mapping is described in more depth here:
The only question is whether this doesn't wholesale add source maps also to prod outputs? |
This tightens the CSP for the report-only policy. If all looks good we can migrate to the enforced policy. This also adds exceptions for the wagtail admin. fix formatting
This is to avoid CSP 'unsafe-eval' errors.
0951a6f
to
f36d92e
Compare
Rebased. It sounds like this is good to go for testing in report-only mode. Just wanting to confirm. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the source mapping change may actually impact production outputs, so good the FE codeowners @mozilla/bedrock-codeowners-frontend got pinged for review, to perhaps advise what to do with the devtool in webpack settings:
@@ -45,6 +45,7 @@ module.exports = { | |||
path: path.resolve(__dirname, 'assets/'), | |||
publicPath: '/media/' | |||
}, | |||
devtool: 'source-map', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When this was omitted, it used some cheap-*/eval
values by default for dev, and none in prod. However if this is now set unconditionally, I think this will start generating maps for prod builds and adding map source comment trailers to all the entrypoints etc. — so my gut feeling is it may need dev-only guardrails similar to:
devtool: 'source-map', | |
devtool: env.production ? false : 'source-map', |
(I'm not sure how precisely is the env mode exposed here, as they come from crossenv, DefinePlugin etc. so this is merely a pseudo-code TBH…)
Perhaps another approach is turning off source mapping completely? Is anyone using it in local dev? I will probably open a separate ticket to get some 👀 eyes to the issue.
CMS_ADMIN_CSP_RO = _override_csp( | ||
CONTENT_SECURITY_POLICY_REPORT_ONLY, | ||
append={"script-src": [csp.constants.UNSAFE_INLINE]}, | ||
replace={"frame-ancestors": [csp.constants.SELF]}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(FYI this moved recently, so will need a rebase and a tweak…)
One-line summary
Remove unsafe-eval & unsafe-inline from script-src
NOTE
This also changes webpack to use
devtool: 'source-map'
which may result in slightly slower build times. This is needed to satisfy the CSP requirements locally (not useeval
) so devs can spot any breaking CSP being added. On my machine it was a negligible difference but I'd be interested to hear about other experiences.Issue / Bugzilla link
#14828
Testing
I tested locally by clicking around with the console open looking for CSP violations, including the wagtail admin in my checks.