HomePhabricator

[Cashtab] Add CSP report only header

Description

[Cashtab] Add CSP report only header

Summary:
T3395

Adding a Content-Security-Policy-Report-Only header. This will return error msgs if anything about the CSP is breaking the app. Will deploy this first, check it out, then deploy CSP.

Would be nice to have a more strict CSP. We need these settings to support sideshift integration as as a script. Also, unsafe-inline is necessary for standard react app functionality (though I believe it's possible to get around this by changing the build script).

For now, any CSP is still better than none.

Test Plan:

cd web/cashtab
docker build -t cashtab_local .
docker run --rm -p 8080:80 --name cashtab cashtab_local

In another terminal,

curl -I http://localhost:8080

Can also deploy to netlify with these headers (need to follow their guide), then confirm you get no error log msgs

Note: Since this diff is only adding logs, there is no change as long as nginx.conf still passes nginx -t

Reviewers: #bitcoin_abc, PiRK

Reviewed By: #bitcoin_abc, PiRK

Differential Revision: https://reviews.bitcoinabc.org/D15106

Details

Provenance
bytesofmanAuthored on Jan 5 2024, 23:11
bytesofmanPushed on Jan 10 2024, 13:25
Reviewer
Restricted Project
Differential Revision
D15106: [Cashtab] Add CSP report only header
Parents
rABC3eeec844c263: [herald] Patch bug in unidentified miner
Branches
Unknown
Tags
Unknown