Replace SecureHeaders CSP tooling with built in Rails tooling by jmhooper · Pull Request #5757 · 18F/identity-idp

jmhooper · 2021-12-27T23:18:59Z

Why: So that we can use the baked in Rails behavior for managing the CSP.

This commit includes a feature flag so we can test this without potentially breaking the world.

**Why**: So that we can use the baked in Rails behavior for managing the CSP.

app/controllers/concerns/secure_headers_concern.rb

app/views/shared/_dap_analytics.html.erb

config/initializers/secure_headers.rb

app/controllers/concerns/secure_headers_concern.rb

config/initializers/secure_headers.rb

config/initializers/content_security_policy.rb

… this mistake

config/initializers/content_security_policy.rb

config/initializers/secure_headers.rb

jmhooper · 2022-01-24T21:05:54Z

Okay, I finally have everything passing and think this is finally ready to go

app/helpers/secure_headers_helper.rb

config/initializers/content_security_policy.rb

zachmargolis

LGTM

zachmargolis · 2022-01-24T21:37:34Z

config/initializers/secure_headers.rb

  default_csp_config[:script_src] = ["'self'", "'unsafe-eval'"] if !Rails.env.production?

-  if IdentityConfig.store.rails_mailer_previews_enabled
-    default_csp_config[:style_src] << "'unsafe-inline'"


oo thanks for cleaning up here

jmhooper added 2 commits December 27, 2021 17:17

Replace SecureHeaders CSP tooling with built in Rails tooling

87585e5

**Why**: So that we can use the baked in Rails behavior for managing the CSP.

add another TODO

46f02d8

jmhooper added the status - work in progress label Dec 27, 2021

zachmargolis reviewed Dec 28, 2021

View reviewed changes

jmhooper added 4 commits January 7, 2022 14:00

Merge branch 'main' into jmhooper-integrate-secure-headers

b5c72df

move everything into 1 before action

bf7415b

use rails CSP tooling on document capture step

7265ad9

more like "TO DONE" amirite?

9002dd5

aduth reviewed Jan 7, 2022

View reviewed changes

config/initializers/secure_headers.rb Outdated Show resolved Hide resolved

jmhooper added 2 commits January 7, 2022 14:24

fix secure header invocation in template

78b6b8e

TODO note

be7dfee

zachmargolis reviewed Jan 7, 2022

View reviewed changes

config/initializers/content_security_policy.rb Outdated Show resolved Hide resolved

jmhooper added 4 commits January 7, 2022 15:00

use opt out config

832c217

Merge branch 'main' into jmhooper-integrate-secure-headers

8ddd50c

add webpacker rules

29fdd54

Been doing this over a decade and I swear to god how do I keep making…

ad88fce

… this mistake

aduth reviewed Jan 14, 2022

View reviewed changes

config/initializers/content_security_policy.rb Outdated Show resolved Hide resolved

cleanup connect source

b6c2bb6

jmhooper commented Jan 14, 2022

View reviewed changes

config/initializers/secure_headers.rb Outdated Show resolved Hide resolved

jmhooper added 11 commits January 14, 2022 10:09

re-add unsafe-eval in development

18e88a2

comment out unsafe-inline / unsafe-eval and see what CI does

d868776

clean up lint issue

5557487

put unsafe-eval back

a688dba

slim up delta between test/production CSP

884b92d

delint

0234e07

Merge branch 'main' into jmhooper-integrate-secure-headers

db74cdf

try using dev tools in test

31915da

whooops

10d9ee4

delint

b178ca4

test cleanup and re-add the remove CSP middleware

76ba500

This was referenced Jan 21, 2022

Refactor the CSP allow list tooling to better reduce CSP and preserve schemes #5842

Merged

Remove 'unsafe-inline' from the CSP #5844

Merged

jmhooper added 14 commits January 21, 2022 14:54

Merge branch 'main' into jmhooper-integrate-secure-headers

2cafd98

cleanup from merge

6a923e8

reducing diff noise

0c96530

PULL THE LEVER, KRONK

9fbe192

a little re-organizing

89540b2

whoops

3ef6e29

Add the default nonce generator

786509e

some cleanup to break into a separate PR

2ae9357

Merge branch 'main' into jmhooper-integrate-secure-headers

98772e2

use the current_content_security_policy method

84f59ff

fix document capature template test

3ccad15

fix document capture concern issue

36d99d2

fix saml idp controller

c85e462

delint

2fe8529

jmhooper requested review from aduth, orenyk and zachmargolis January 24, 2022 21:06

jmhooper added status - ready for review and removed status - work in progress labels Jan 24, 2022

zachmargolis reviewed Jan 24, 2022

View reviewed changes

app/helpers/secure_headers_helper.rb Show resolved Hide resolved

config/initializers/content_security_policy.rb Show resolved Hide resolved

jmhooper added 2 commits January 24, 2022 16:24

mailer preview and unsafe inline

2332f79

Merge branch 'main' into jmhooper-integrate-secure-headers

c35cf30

zachmargolis approved these changes Jan 24, 2022

View reviewed changes

jmhooper added 2 commits January 25, 2022 11:28

i know how conditionals work

fb45906

Merge branch 'main' into jmhooper-integrate-secure-headers

c2ccd20

jmhooper merged commit d5c10f6 into main Jan 25, 2022

jmhooper deleted the jmhooper-integrate-secure-headers branch January 25, 2022 16:50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Replace SecureHeaders CSP tooling with built in Rails tooling#5757

Replace SecureHeaders CSP tooling with built in Rails tooling#5757
jmhooper merged 43 commits intomainfrom
jmhooper-integrate-secure-headers

jmhooper commented Dec 27, 2021

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jmhooper commented Jan 24, 2022

Uh oh!

Uh oh!

Uh oh!

zachmargolis left a comment

Uh oh!

zachmargolis Jan 24, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

jmhooper commented Dec 27, 2021

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jmhooper commented Jan 24, 2022

Uh oh!

Uh oh!

Uh oh!

zachmargolis left a comment

Choose a reason for hiding this comment

Uh oh!

zachmargolis Jan 24, 2022

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants