EPMRPP-98929 || Update CSP to allow extensions appending on dev envs

app/src/controllers/plugins/uiExtensions/overrideExtension.js

@@ -25,7 +25,7 @@ const fetchManifest = async (url, manifestFileName) => {
   return response.json();
 };
 
-// TODO: restrict access to this function (f.e. only for admins)
+// TODO: restrict access to this function (e.g. only for admins)
 export const createExtensionOverrider = (store) => async (pluginName, url) => {
   const plugin = pluginByNameSelector(store.getState(), pluginName);
 
@@ -39,7 +39,7 @@ export const createExtensionOverrider = (store) => async (pluginName, url) => {
   return manifest;
 };
 
-// TODO: restrict access to this function (f.e. only for admins)
+// TODO: restrict access to this function (e.g. only for admins)
 export const createExtensionAppender = (store) => async (url) => {
   const manifestFileName = `${MANIFEST_FILE_KEY}.json`;
 

app/src/layouts/projectLayout/projectSidebar/projectSidebar.jsx

@@ -133,7 +133,7 @@ export const ProjectSidebar = ({ onClickNavBtn }) => {
       icon: SettingsIcon,
       message: formatMessage(messages.projectsSettings),
     });
-    projectPageExtensions.forEach(({ icon, internalRoute, name }) => {
+    projectPageExtensions.forEach(({ icon, internalRoute, name, title }) => {
       if (icon) {
         sidebarItems.push({
           onClick: onClickNavBtn,
@@ -142,7 +142,7 @@ export const ProjectSidebar = ({ onClickNavBtn }) => {
             payload: { organizationSlug, projectSlug, pluginPage: internalRoute || name },
           },
           icon: icon.svg,
-          message: icon.title,
+          message: icon.title || title,
         });
       }
     });

nginx.conf

@@ -37,7 +37,9 @@ http {
             add_header X-Frame-Options "DENY";
             add_header X-Content-Type-Options "nosniff";
             add_header X-XSS-Protection "1; mode=block";
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            # The CSP need to be updated before release (localhost should be removed in favor of own Service UI files)
+            # Update other `location`s accordingly
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /index.html;
         }
 
@@ -46,20 +48,20 @@ http {
             add_header X-Frame-Options "DENY";
             add_header X-Content-Type-Options "nosniff";
             add_header X-XSS-Protection "1; mode=block";
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /index.html;
         }
 
         # build info
         location /info {
             add_header Cache-Control "public, must-revalidate";
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /buildInfo.json 404;
         }
 
         location /ui/info {
             add_header Cache-Control "public, must-revalidate";
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /buildInfo.json 404;
         }