LG-3697: Define connect-src S3 presigned URLs by full path#4429
Conversation
|
Actually, as soon as I opened this, I took an even closer look at the spec to discover that we could just omit the
It's a much smaller fix (literally just removing the Open to either though! |
|
I like the approach of only adding the S3 URLs to the pages that we know need it. Instead of doing it inside the view, we could try to do it inside the controller? Like the |
The closest thing we have to controllers for these views are the
If we went this route, I think we'd want to return to an approach like what we had with the bucket-wide permission: # app/controllers/idv/doc_auth_controller.rb
# app/controllers/idv/capture_doc_controller.rb
before_action :append_connect_src_to_capture_step
def append_connect_src_to_capture_step
return unless params[:step] == 'document_capture'
return unless AppConfig.env.doc_auth_enable_presigned_s3_urls == 'true'
image_upload_bucket_url = ImageUploadPresignedUrlGenerator.new.bucket_url
return unless image_upload_bucket_url
SecureHeaders.append_content_security_policy_directives request, connect_src: [image_upload_bucket_url]
endAlternatively, the Any preference? I'm leaning toward the latter option, though the precise implementation isn't quite as clear to me as in the code snippet above. |
zachmargolis
left a comment
zachmargolis
left a comment
There was a problem hiding this comment.
LGTM. Looking at this again, it's the simplest change, re-uses the same mixin methods for URLs we already have. The whole "flows/steps are not quite a controller" thing bugs me but that is a battle for a different day
**Why**: So that the browser will allow connect to upload images to S3. The work in #4409 assumes that a wildcard `*` can be used in the path fragment of a `connect-src` source list, which is not correct ([see specification](https://www.w3.org/TR/CSP3/#match-paths)). Thus, connection attempts would still be rejected. This largely reverts the prior effort, instead appending to the CSP header in the view itself. This may not be ideal, though it has a few upsides: - Closer association to where the CSP URLs are relevant (as opposed to application-wide configuration) - [There is prior art](https://github.com/18F/identity-idp/blob/86981809d5e2d4a19e31b2ad89149b6737674402/app/views/shared/_recaptcha.html.erb#L2-L3) Alternatives explored: - Append at [point in code](https://github.com/18F/identity-idp/blob/86981809d5e2d4a19e31b2ad89149b6737674402/app/services/idv/steps/document_capture_step.rb#L18-L33) where URLs are assigned into view variables. This felt like an unexpected side-effect of what should be expected to be a pure function. - Some other pre-render hook of the document capture step. Unfortunately most existing behavior of a step appears to be tailored for a step's submission, not its initial rendering. Possible follow-on: Ideally the feature tests added in #4407 could exercise these headers. Unfortunately, it's made challenging by the fact that our fake endpoints are served by the local server, which is allowed by default in the CSP headers. This would also be contingent upon LG-3785.
aduth
force-pushed
the
aduth-connect-src-full-path
branch
from
737f7d8 to
299feba
Compare
2 participants
Why: So that the browser will allow connect to upload images to S3.
The work in #4409 assumes that a wildcard
*can be used in the path fragment of aconnect-srcsource list, which is not correct (see specification). Thus, connection attempts would still be rejected.This largely reverts the prior effort, instead appending to the CSP header in the view itself. This may not be ideal, though it has a few upsides:
Alternatives explored:
Possible follow-on: Ideally the feature tests added in #4407 could exercise these headers. Unfortunately, it's made challenging by the fact that our fake endpoints are served by the local server, which is allowed by default in the CSP headers. This would also be contingent upon LG-3785.