Create Custom CSP #2977
Comments
|
Deployed PRs to Demo for testing - they should be live in about 15 min. if anyone has time to click around a bit later this afternoon to help me get some additional data into honeybadger before marking these PRs as ready to go that would be super appreciated. Thanks so much! |
|
This font error is back - but we fixed it in ticket #2972 so I'm not sure what changed to create this issue again.
|
|
To further alleviate google tag manager issues - would it be possible to disable a few settings in the GTM dashboard? Found this issue (and recommended suggestion) from October that may help us out with future upgrades. |
|
PRs ready for review: Both branches are deployed to Demo currently. There have been no CSP reports or errors in HoneyBadger (for Demo env) since the most recent deploy this afternoon. |
|
Management: Deployed to Test v2.74.1 |
|
Got most of it but did miss an elem directive - taking back to in progress to fix. Aside from this error HoneyBadger had no other CSP Reports from Test since these releases were deployed.
Waiting on PR to make it through CI before taking it out of draft - https://github.com/yalelibrary/yul-dc-blacklight/pull/1080/files |
|
PR ready for review - yalelibrary/yul-dc-blacklight#1080 |
Summary
To ensure feature parity until all open source resources are updated to not use inline scripts or styles 'unsafe-inline' was added to the default CSP. It is possible to customize the CSP per page and this will allow for a more secure policy - only allow 'unsafe-inline' in very specific cases until open source packages have updated their style and script injections.
Acceptance Criteria
Engineering Notes
https://api.rubyonrails.org/classes/ActionController/ContentSecurityPolicy/ClassMethods.html#method-i-content_security_policy
#2875 - related ticket
Exceptions to Mitigate
The text was updated successfully, but these errors were encountered: