Page MenuHomePhabricator

[Cashtab] Add CSP report only header
ClosedPublic

Authored by bytesofman on Jan 5 2024, 23:15.

Details

Reviewers
PiRK
Group Reviewers
Restricted Project
Commits
rABC8808f0c06470: [Cashtab] Add CSP report only header
Summary

T3395

Adding a Content-Security-Policy-Report-Only header. This will return error msgs if anything about the CSP is breaking the app. Will deploy this first, check it out, then deploy CSP.

Would be nice to have a more strict CSP. We need these settings to support sideshift integration as as a script. Also, unsafe-inline is necessary for standard react app functionality (though I believe it's possible to get around this by changing the build script).

For now, any CSP is still better than none.

Test Plan
cd web/cashtab
docker build -t cashtab_local .
docker run --rm -p 8080:80 --name cashtab cashtab_local

In another terminal,

curl -I http://localhost:8080

Can also deploy to netlify with these headers (need to follow their guide), then confirm you get no error log msgs

Note: Since this diff is only adding logs, there is no change as long as nginx.conf still passes nginx -t

Diff Detail

Repository
rABC Bitcoin ABC
Branch
add-csp-header
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 26198
Build 51968: Build Diffcashtab-tests
Build 51967: arc lint + arc unit