Replace SecureHeaders CSP tooling with built in Rails tooling

app/controllers/concerns/idv/document_capture_concern.rb

@@ -3,6 +3,14 @@ module DocumentCaptureConcern
     def override_document_capture_step_csp
       return if params[:step] != 'document_capture'
 
+      if FeatureManagement.rails_csp_tooling_enabled?
+        override_document_capture_step_csp_with_rails_csp_tooling
+      else
+        override_document_capture_step_csp_with_secure_headers
+      end
+    end
+
+    def override_document_capture_step_csp_with_secure_headers
       SecureHeaders.append_content_security_policy_directives(
         request,
         # required to run wasm until wasm-eval is available
@@ -13,5 +21,13 @@ def override_document_capture_step_csp
         img_src: ['blob:'],
       )
     end
+
+    def override_document_capture_step_csp_with_rails_csp_tooling
+      policy = current_content_security_policy
+      policy.script_src(*policy.script_src, :unsafe_eval)
+      policy.style_src(*policy.style_src, :unsafe_inline)
+      policy.img_src(*policy.img_src, 'blob:')
+      request.content_security_policy = policy
+    end
   end
 end

app/controllers/concerns/piv_cac_concern.rb

@@ -28,10 +28,7 @@ def piv_session
   end
 
   def set_piv_cac_setup_csp_form_action_uris
-    override_content_security_policy_directives(
-      form_action: piv_cac_setup_csp_form_action_uris,
-      preserve_schemes: true,
-    )
+    override_form_action_csp(piv_cac_setup_csp_form_action_uris)
   end
 
   def piv_cac_setup_csp_form_action_uris

app/controllers/concerns/secure_headers_concern.rb

@@ -5,19 +5,31 @@ def apply_secure_headers_override
     return if stored_url_for_user.blank?
 
     authorize_form = OpenidConnectAuthorizeForm.new(authorize_params)
-
     return unless authorize_form.valid?
 
-    override_csp_with_uris
+    override_form_action_csp(csp_uris)
+  end
+
+  def override_form_action_csp(uris)
+    if FeatureManagement.rails_csp_tooling_enabled?
+      apply_secure_headers_override_with_rails_csp_tooling(uris)
+    else
+      apply_secure_headers_override_with_secure_headers(uris)
+    end
   end
 
-  def override_csp_with_uris
+  def apply_secure_headers_override_with_secure_headers(uris)
     override_content_security_policy_directives(
-      form_action: csp_uris,
-      preserve_schemes: true,
+      form_action: uris,
     )
   end
 
+  def apply_secure_headers_override_with_rails_csp_tooling(uris)
+    policy = current_content_security_policy
+    policy.form_action(*uris)
+    request.content_security_policy = policy
+  end
+
   def csp_uris
     return ["'self'"] if stored_url_for_user.blank?
     # Returns fully formed CSP array w/"'self'" and redirect_uris

app/controllers/openid_connect/authorization_controller.rb

@@ -12,7 +12,7 @@ class AuthorizationController < ApplicationController
     before_action :sign_out_if_prompt_param_is_login_and_user_is_signed_in, only: [:index]
     before_action :store_request, only: [:index]
     before_action :check_sp_active, only: [:index]
-    before_action :override_csp_with_uris, only: [:index]
+    before_action :apply_secure_headers_override, only: [:index]
     before_action :confirm_user_is_authenticated_with_fresh_mfa, only: :index
     before_action :prompt_for_password_if_ial2_request_and_pii_locked, only: [:index]
     before_action :bump_auth_count, only: [:index]

app/controllers/saml_idp_controller.rb

@@ -11,6 +11,7 @@ class SamlIdpController < ApplicationController
   include VerifyProfileConcern
   include AuthorizationCountConcern
   include BillableEventTrackable
+  include SecureHeadersConcern
 
   prepend_before_action :skip_session_load, only: :metadata
   prepend_before_action :skip_session_expiration, only: :metadata
@@ -118,7 +119,7 @@ def render_template_for(message, action_url, type)
     csp_uris = SecureHeadersAllowList.csp_with_sp_redirect_uris(
       action_url, decorated_session.sp_redirect_uris
     )
-    override_content_security_policy_directives(form_action: csp_uris)
+    override_form_action_csp(csp_uris)
 
     render(
       template: 'saml_idp/shared/saml_post_binding',

app/helpers/secure_headers_helper.rb

@@ -0,0 +1,34 @@
+module SecureHeadersHelper
+  def backwards_compatible_javascript_tag(*args, **opts, &block)
+    if FeatureManagement.rails_csp_tooling_enabled?
+      javascript_tag(*args, opts.merge(nonce: true), &block)
+    else
+      nonced_javascript_tag(*args, **opts, &block)
+    end
+  end
+
+  def add_document_capture_image_urls_to_csp(request, urls)
+    cleaned_urls = urls.compact.map do |url|
+      URI(url).tap { |uri| uri.query = nil }.to_s
+    end
+
+    if FeatureManagement.rails_csp_tooling_enabled?
+      add_document_capture_image_urls_to_csp_with_rails_csp_tooling(request, cleaned_urls)
+    else
+      add_document_capture_image_urls_to_csp_with_secure_headers(request, cleaned_urls)
+    end
+  end
+
+  def add_document_capture_image_urls_to_csp_with_secure_headers(request, urls)
+    SecureHeaders.append_content_security_policy_directives(
+      request,
+      connect_src: urls,
+    )
+  end
+
+  def add_document_capture_image_urls_to_csp_with_rails_csp_tooling(request, urls)
+    policy = request.content_security_policy.clone
+    policy.connect_src(*policy.connect_src, *urls)
+    request.content_security_policy = policy
+  end
+end

app/views/idv/shared/_document_capture.html.erb

@@ -4,17 +4,10 @@
   <%= tag.meta name: 'acuant-sdk-initialization-creds', content: IdentityConfig.store.acuant_sdk_initialization_creds %>
   <%= stylesheet_link_tag 'document-capture' %>
 <% end %>
-<% SecureHeaders.append_content_security_policy_directives(
+<% add_document_capture_image_urls_to_csp(
      request,
-     connect_src: [
-       front_image_upload_url,
-       back_image_upload_url,
-       selfie_image_upload_url,
-     ].
-       compact.
-       map { |url| URI(url).tap { |uri| uri.query = nil }.to_s },
+     [front_image_upload_url, back_image_upload_url, selfie_image_upload_url],
    )
-
    session_id = flow_session[:document_capture_session_uuid]
 %>
 <%= tag.div id: 'document-capture-form', data: {
@@ -147,7 +140,7 @@
       ) %>
 </div>
 
-<%= nonced_javascript_tag do %>
+<%= backwards_compatible_javascript_tag do %>
   <% asset_keys = [
        'close-white-alt.svg',
        'id-card.svg',

app/views/layouts/base.html.erb

@@ -23,7 +23,7 @@
       ) %>
 
 
-  <%= nonced_javascript_tag do %>
+  <%= backwards_compatible_javascript_tag do %>
     document.documentElement.className = document.documentElement.className.replace(/\bno-js\b/, 'js');
   <% end %>
   <%= preload_link_tag font_url('identity-style-guide/dist/assets/fonts/source-sans-pro/sourcesanspro-regular-webfont.woff2') %>

app/views/shared/_banner.html.erb

@@ -22,7 +22,7 @@
         </div>
       </div>
       <div class="usa-banner__content usa-accordion__content" id="gov-banner">
-        <%= nonced_javascript_tag do %>
+        <%= backwards_compatible_javascript_tag do %>
           document.getElementById('gov-banner').setAttribute('hidden', '');
         <% end %>
         <div class="grid-row grid-gap-lg">

app/views/shared/_dap_analytics.html.erb

@@ -1,4 +1,4 @@
 <!-- <%= t('notices.dap_participation') %> -->
 <% dap_source = 'https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=GSA&subagency=TTS' %>
-<%= nonced_javascript_tag({ src: dap_source, async: true, id: '_fed_an_ua_tag' }) do %>
+<%= backwards_compatible_javascript_tag({ src: dap_source, async: true, id: '_fed_an_ua_tag' }) do %>
 <% end %>

app/views/shared/_failure.html.erb

@@ -23,5 +23,5 @@
 <% presenter.next_steps.each do |step| %>
   <p><%== step %></p>
 <% end; if presenter.js %>
-  <%= nonced_javascript_tag presenter.js %>
+  <%= backwards_compatible_javascript_tag presenter.js %>
 <% end %>