Merge pull request #6828 from uktrade/revert/content-policy

Revert "Merge pull request #6760 from uktrade/fix/content-security-po…

.circleci/config.yml

@@ -237,8 +237,6 @@ commands:
       - run:
           name: << parameters.label >>
           command: make << parameters.target >> SPEC_FILES="<< parameters.spec_files >>"
-          environment:
-            - NODE_ENV: test
   store_cypress_artifacts:
     description: Store Cypress artifacts like screenshots and videos
     steps:

.gitignore

@@ -30,7 +30,6 @@ reports
 .idea/
 *.env
 !*.sample.env
-!tests.env
 npm*.log
 yarn-error.log
 yarn.lock

babel.config.js

@@ -5,6 +5,9 @@ module.exports = {
     test: {
       plugins: ['istanbul'],
     },
+    development: {
+      plugins: ['istanbul'],
+    },
   },
   presets: [
     ['@babel/preset-react'],

docker-compose.base.yml

@@ -23,6 +23,7 @@ services:
       # Required to test Data Hub roles in e2e tests, make sure this var
       # doesn't exists in your .env file as the override below won't work
       OAUTH2_DEV_TOKEN: ${OAUTH2_DEV_TOKEN:-ditStaffToken}
-    command: bash -c 'npm run build:for-test-coverage && npm run start:coverage'
+    command: npm run develop
+
   redis:
     image: redis:6.2.6

docker-compose.e2e.backend.yml

@@ -43,8 +43,6 @@ services:
       - redis
     entrypoint: dockerize -wait tcp://postgres:5432 -wait tcp://opensearch:9200 -wait tcp://redis:6379 -timeout 5m
     command: python short-running-worker.py long-running-worker.py
-    logging:
-      driver: none
 
   postgres:
     image: postgres:12
@@ -54,8 +52,6 @@ services:
       POSTGRES_DB: datahub
       POSTGRES_USER: user
       POSTGRES_PASSWORD: password
-    logging:
-      driver: none
 
   opensearch:
     image: opensearchproject/opensearch:1.2.4
@@ -69,17 +65,13 @@ services:
       - bootstrap.memory_lock=true
       - DISABLE_INSTALL_DEMO_CONFIG=true # Prevents execution of bundled demo script which installs demo certificates and security configurations to OpenSearch
       - DISABLE_SECURITY_PLUGIN=true # Disables security plugin
-    logging:
-      driver: none
 
   activity-feed-reverseproxy:
     build: ./test/end-to-end/proxy
     ports:
         - 8081:8081
     depends_on:
       - activity-feed
-    logging:
-      driver: none
 
   activity-feed:
     build: https://github.com/uktrade/activity-stream.git
@@ -106,5 +98,3 @@ services:
       - INCOMING_ACCESS_KEY_PAIRS__1__PERMISSIONS__objects__1=__MATCH_ALL__
       - INCOMING_IP_WHITELIST__1=1.2.3.4
       - INCOMING_IP_WHITELIST__2=2.3.4.5
-    logging:
-      driver: none

docker-compose.e2e.frontend.yml

@@ -27,6 +27,4 @@ services:
       MOCK_SSO_TOKEN: 123
       MOCK_SSO_EMAIL_USER_ID: [email protected]
       MOCK_SSO_USERNAME: [email protected]
-    logging:
-      driver: none
 

docker-compose.services.yml

@@ -9,8 +9,6 @@ services:
       - ./test/sandbox:/usr/src/app
       # Ensures that the local node_modules dir is not used in the container
       - /usr/src/app/node_modules
-    logging:
-      driver: none
 
   lbweb:
     image: gcr.io/sre-docker-registry/github.com/uktrade/legal-basis-api:latest
@@ -41,14 +39,10 @@ services:
       bash -c "sleep 5 && python manage.py migrate &&
       python manage.py collectstatic --noinput &&
       python -Wd manage.py runserver 0.0.0.0:8001"
-    logging:
-      driver: none
 
   lbdb:
     image: postgres:9.6.9-alpine
     restart: unless-stopped
     environment:
       POSTGRES_USER: postgres
       POSTGRES_DB: legal-basis
-    logging:
-      driver: none

package.json

@@ -13,8 +13,7 @@
     "clean": "del .build cypress-coverage",
     "start": "node --use-strict src/server.js",
     "start:coverage": "nyc --silent npm run start",
-    "build": "npm run clean && NODE_ENV=production webpack",
-    "build:for-test-coverage": "npm run clean && NODE_ENV=test webpack",
+    "build": "npm run clean && webpack",
     "develop": "NODE_ENV=development npm run watch:js:client -- --env development",
     "watch:test": "npm run test:unit -- -w",
     "watch:js:client": "webpack --watch --progress",

src/apps/__export-wins-review/view.njk

@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>DBT Export Wins</title>
-    <style nonce="{{ cspNonce }}" >
+    <style>
       html, body {
         font-family: Arial,"Helvetica Neue",sans-serif;
         font-size: 19px;
@@ -16,12 +16,12 @@
     </style>
   </head>
   <body>
-    {% include "_includes/csp-nonce.njk" %}
     <div id="react-app">
       <noscript>Please enable JavaScript in your browser to see the content.</noscript>
     </div>
 
     <!--[if gt IE 8]><!-->
+    <script src="{{ getAssetPath('app.js') }}"></script>
     <script src="{{ getAssetPath('export-win-review.js') }}"></script>
     <!--<![endif]-->
   </body>

src/apps/companies/apps/dnb-hierarchy/client/DnbHierarchy.jsx

@@ -1,7 +1,7 @@
 import React, { useEffect, useState } from 'react'
 import PropTypes from 'prop-types'
 import axios from 'axios'
-import useSearchParam from 'react-use/lib/useSearchParam'
+import { useSearchParam } from 'react-use'
 import { Details, LoadingBox } from 'govuk-react'
 
 import { CollectionList } from '../../../../../client/components/'

src/client/components/NotificationAlert/index.jsx

@@ -6,7 +6,7 @@ import styled from 'styled-components'
 
 import { ID, TASK_GET_REMINDER_SUMMARY, state2props } from './state'
 import { REMINDER_SUMMARY__LOADED } from '../../actions'
-import BellIcon from './BellIcon'
+import BellSVG from './bell-icon.svg'
 import Task from '../Task'
 
 import { Size, Shape, Count } from '../NotificationBadge'
@@ -24,7 +24,7 @@ const StyledShape = styled(Shape)({
   left: -7,
 })
 
-const StyledBellIcon = styled(BellIcon)({
+const StyledImage = styled('img')({
   width: 22,
   height: 22,
   marginLeft: 20,
@@ -36,7 +36,10 @@ const NotificationAlert = ({ count, remindersURL }) => (
     href={remindersURL}
     id="notification-bell-count"
   >
-    <StyledBellIcon />
+    <StyledImage
+      src={BellSVG}
+      alt="An image of a bell with the notification count overlaid"
+    />
     <Task.Status
       name={TASK_GET_REMINDER_SUMMARY}
       id={ID}

src/client/export-win-review.jsx

@@ -1,4 +1,4 @@
-import './webpack-csp-nonce'
+/* eslint-disable prettier/prettier */
 import React from 'react'
 import ReactDOM from 'react-dom'
 

src/client/index.jsx

@@ -1,4 +1,3 @@
-import './webpack-csp-nonce.js'
 import React from 'react'
 import ReactDOM from 'react-dom'
 import * as Sentry from '@sentry/browser'

src/client/modules/Investments/Projects/ProjectTasks.jsx

@@ -2,7 +2,7 @@ import React from 'react'
 import { H2 } from 'govuk-react'
 import { LEVEL_SIZE } from '@govuk-react/constants'
 import { useParams } from 'react-router-dom'
-import useSearchParam from 'react-use/lib/useSearchParam'
+import { useSearchParam } from 'react-use'
 import { connect } from 'react-redux'
 import qs from 'qs'
 

src/lib/hawk-request.js

@@ -3,7 +3,13 @@ const Hawk = require('hawk')
 const config = require('../config')
 const request = require('./request')
 
-function getHawkHeader(credentials, { url, method }) {
+function getHawkHeader(credentials, requestOptions) {
+  if (config.isTest) {
+    return 'hawk-test-header'
+  }
+
+  const { url, method } = requestOptions
+
   // Generate Authorization request header
   // Ensure backend is using same protocol for hash generation
   return Hawk.client.header(url, method, {

src/middleware/__test__/headers.test.js

@@ -1,35 +1,38 @@
 const headers = require('../headers')
 
-const NONCE = 'DUMMY-NONCE'
+describe('headers middleware', () => {
+  context('when the resource is not an asset', () => {
+    it('should set headers', () => {
+      const reqMock = { url: '/' }
+      const resMock = { set: sinon.spy() }
+      const nextMock = sinon.spy()
 
-const nonceGenerator = () => NONCE
+      headers(reqMock, resMock, nextMock)
 
-describe('headers middleware', () => {
-  it('should set headers', () => {
-    const reqMock = { url: '/' }
-    const resMock = { set: sinon.spy() }
-    const nextMock = sinon.spy()
-
-    headers(reqMock, resMock, nextMock, {
-      nonceGenerator,
-      mode: 'production',
-    })
+      expect(resMock.set.args).to.be.deep.equal([
+        ['Cache-Control', 'no-cache, no-store, must-revalidate, private'],
+        ['Pragma', 'no-cache'],
+        ['X-Frame-Options', 'DENY'],
+        ['X-Content-Type-Options', 'nosniff'],
+        ['X-XSS-Protection', '1; mode=block'],
+        ['Strict-Transport-Security', 'max-age=15552000'],
+      ])
 
-    expect(Object.fromEntries(resMock.set.args)).to.be.deep.equal({
-      'Content-Security-Policy': [
-        `default-src 'self' 'nonce-${NONCE}'`,
-        `frame-ancestors 'none'`,
-        `script-src 'self' 'nonce-${NONCE}' https://*.googletagmanager.com`,
-        `img-src 'self' https://*.google-analytics.com https://*.googletagmanager.com`,
-        `connect-src 'self' https://*.google-analytics.com https://*.googletagmanager.com https://*.analytics.google.com`,
-      ].join(';'),
-      'Cache-Control': 'no-cache, no-store',
-      Pragma: 'no-cache',
-      'X-Frame-Options': 'DENY',
-      'X-Content-Type-Options': 'nosniff',
-      'Strict-Transport-Security': 'max-age=15552000',
+      expect(nextMock).to.be.called
     })
+  })
 
-    expect(nextMock).to.be.called
+  context('when the resource is an asset', () => {
+    it('should not set the headers', () => {
+      const reqMock = { url: '/javascripts/foo.js' }
+      const resMock = { set: sinon.spy() }
+      const nextMock = sinon.spy()
+
+      headers(reqMock, resMock, nextMock)
+
+      expect(resMock.set).not.to.be.called
+
+      expect(nextMock).to.be.called
+    })
   })
 })