Skip to content

[LG-7191] Suppress content security policy#6705

Closed
gangelo wants to merge 2 commits intomainfrom
add_suppress_content_security_policy_config
Closed

[LG-7191] Suppress content security policy#6705
gangelo wants to merge 2 commits intomainfrom
add_suppress_content_security_policy_config

Conversation

@gangelo
Copy link
Contributor

@gangelo gangelo commented Aug 8, 2022
edited
Loading

Suppress content security policy if IdentityConfig.store.suppress_content_security_policy is true.

508 tools that rely on javascript execution (ANDI for example) are unable to execute in the development environment due to Content Security Policy (CSP) policies.

Creating/setting IdentityConfig.store.suppress_content_security_policy in an AWS sandbox will allow developers to turn CSP off, allowing these valuable tools to run.

@gangelo gangelo self-assigned this Aug 8, 2022
@gangelo gangelo force-pushed the add_suppress_content_security_policy_config branch 2 times, most recently from 0f4a66c to 16a9b34 Compare August 8, 2022 19:07
zachmargolis
zachmargolis reviewed Aug 8, 2022
View reviewed changes
app/controllers/concerns/idv/document_capture_concern.rb Outdated
Copy link
Contributor

@zachmargolis zachmargolis Aug 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this methods opens up the policy, does it still cause problems for the accessibiltiy tool on this step if we leave it in?

Copy link
Contributor Author

@gangelo gangelo Aug 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about that, I have to test that out.

@aduth
Copy link
Contributor

aduth commented Aug 8, 2022

Would the existing disable_csp_unsafe_inline configuration help with the need? Could we consider other tools? It's a bit concerning to me that a tool wouldn't be functional without the ability to download third-party scripts or call out to a third-party API. Historically I've been able to use the Deque Axe DevTools and Accessibility Insights for Web extensions without any issues, and those have been pretty popular in the program.

If we did add this, would the idea be to only allow for it in local development, and not in any deployed environments?

@gangelo gangelo changed the title [no card] Suppress content security policy [LG-7191] Suppress content security policy Aug 9, 2022
@gangelo
Suppress content security policy
33e952a 
If IdentityConfig.store.suppress_content_security_policy is true.

changelog: Accessibility, Internal, Add config to suppress content security policy in AWS sandbox (LG-7191)
@gangelo gangelo force-pushed the add_suppress_content_security_policy_config branch from 16a9b34 to 33e952a Compare August 9, 2022 13:47
@gangelo
return typically behaves poorly
8deccd4 
Inside blocks/procs; use next instead.
@gangelo gangelo closed this Aug 10, 2022
@gangelo gangelo deleted the add_suppress_content_security_policy_config branch August 10, 2022 14:25
@aduth aduth mentioned this pull request Aug 11, 2022
Closed
@rnagilla-gsa rnagilla-gsa added the inherited proofing Pull Requests for the Inherited Proofing feature label Oct 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@zachmargolis zachmargolis zachmargolis left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@gangelo gangelo

Labels

inherited proofing Pull Requests for the Inherited Proofing feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gangelo @aduth @zachmargolis @rnagilla-gsa