From 9805dc96ab73d372708e04a44e8237d0fb0e1d57 Mon Sep 17 00:00:00 2001 From: "Rasika.Abeyrathna" Date: Thu, 30 Nov 2023 17:24:14 +0000 Subject: [PATCH 1/4] HOTT-4466: Add CSP policy to Admin app --- .../initializers/content_security_policy.rb | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 3621f97f..9640725c 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -4,23 +4,23 @@ # For further information see the following documentation # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -# Rails.application.configure do -# config.content_security_policy do |policy| -# policy.default_src :self, :https -# policy.font_src :self, :https, :data -# policy.img_src :self, :https, :data -# policy.object_src :none -# policy.script_src :self, :https -# policy.style_src :self, :https -# # Specify URI for violation reports -# # policy.report_uri "/csp-violation-report-endpoint" -# end -# +Rails.application.configure do + config.content_security_policy do |policy| + policy.default_src :self, :https + policy.font_src :self, :https, :data + policy.img_src :self, :https, :data + policy.object_src :none + policy.script_src :self, :https + policy.style_src :self, :https + # Specify URI for violation reports + # policy.report_uri "/csp-violation-report-endpoint" + end + # # Generate session nonces for permitted importmap and inline scripts # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } # config.content_security_policy_nonce_directives = %w(script-src) # # # Report CSP violations to a specified URI. See: # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only -# # config.content_security_policy_report_only = true -# end + config.content_security_policy_report_only = true +end From 0c327fd9611f5a6a8b36e8d2e20025eb6e082052 Mon Sep 17 00:00:00 2001 From: "Rasika.Abeyrathna" Date: Fri, 1 Dec 2023 14:28:51 +0000 Subject: [PATCH 2/4] HOTT-4466: Add nonce to script tag and configure sentry for CSP reporting --- app/views/layouts/application.html.erb | 6 +++--- config/initializers/content_security_policy.rb | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index 6e4cf967..5fbc9262 100644 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -18,9 +18,9 @@ - + <%= javascript_tag nonce: true do -%> + document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled'); + <% end -%> Skip to main content diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 9640725c..f370c0e1 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -13,14 +13,14 @@ policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports - # policy.report_uri "/csp-violation-report-endpoint" + policy.report_uri ENV['SENTRY_DSN'] end # # Generate session nonces for permitted importmap and inline scripts -# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } -# config.content_security_policy_nonce_directives = %w(script-src) + config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } + # config.content_security_policy_nonce_directives = %w(script-src) # # # Report CSP violations to a specified URI. See: # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only - config.content_security_policy_report_only = true +# config.content_security_policy_report_only = true end From a684031536ece2cee535b216a993b759a257adfa Mon Sep 17 00:00:00 2001 From: "Rasika.Abeyrathna" Date: Fri, 1 Dec 2023 19:08:53 +0000 Subject: [PATCH 3/4] HOTT-4466: remove jquery --- app/webpacker/javascripts/markdown-preview.js | 51 +++++++++++-------- package.json | 1 + yarn.lock | 5 ++ 3 files changed, 36 insertions(+), 21 deletions(-) diff --git a/app/webpacker/javascripts/markdown-preview.js b/app/webpacker/javascripts/markdown-preview.js index f833c996..d57e7c38 100644 --- a/app/webpacker/javascripts/markdown-preview.js +++ b/app/webpacker/javascripts/markdown-preview.js @@ -1,28 +1,37 @@ -import $ from 'jquery'; -import 'jquery.autosize' ; - -$(document).ready(function(){ +document.addEventListener("DOMContentLoaded", function () { var Previewer = { - preview: function(content, output) { - $.ajax({ - type: 'POST', - url: "/govspeak", - data: { govspeak: content.val() }, - dataType: 'json' - }).done(function(data){ - output.html(data['govspeak']); - }); - } + preview: function (content, output) { + fetch("/govspeak", { + method: "POST", + headers: { + "Content-Type": "application/json", + }, + body: JSON.stringify({ govspeak: content.value }), + }) + .then(function (response) { + return response.json(); + }) + .then(function (data) { + output.innerHTML = data.govspeak; + }) + .catch(function (error) { + console.error("Error:", error); + }); + }, }; - $("[data-preview]").each(function(){ - var source_field = $($(this).data('preview-for')); - var render_area = $(this); + document.querySelectorAll("[data-preview]").forEach(function (element) { + var source_field = document.querySelector(element.dataset.previewFor); + var render_area = element; - source_field.keyup(function() { + source_field.addEventListener("input", function () { Previewer.preview(source_field, render_area); - }) + }); }); - $('textarea').autosize(); -}); + document.querySelectorAll("textarea").forEach(function (textarea) { + textarea.addEventListener("input", function () { + autosize(this); + }); + }); +}); \ No newline at end of file diff --git a/package.json b/package.json index 0659cfa7..cc46a7e5 100644 --- a/package.json +++ b/package.json @@ -3,6 +3,7 @@ "private": true, "dependencies": { "@rails/webpacker": "^5.4.4", + "autosize": "^6.0.1", "chart.js": "^4.4.0", "govuk-frontend": "^4.7.0", "jquery": "^3.7.1", diff --git a/yarn.lock b/yarn.lock index 6893b40b..b8187ad1 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1803,6 +1803,11 @@ autoprefixer@^9.6.1: postcss "^7.0.32" postcss-value-parser "^4.1.0" +autosize@^6.0.1: + version "6.0.1" + resolved "https://registry.yarnpkg.com/autosize/-/autosize-6.0.1.tgz#64ee78dd7029be959eddd3afbbd33235b957e10f" + integrity sha512-f86EjiUKE6Xvczc4ioP1JBlWG7FKrE13qe/DxBCpe8GCipCq2nFw73aO8QEBKHfSbYGDN5eB9jXWKen7tspDqQ== + available-typed-arrays@^1.0.5: version "1.0.5" resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz#92f95616501069d07d10edb2fc37d3e1c65123b7" From 9a6667c47a69c449b446a0b4672449c4d876079c Mon Sep 17 00:00:00 2001 From: "Rasika.Abeyrathna" Date: Fri, 1 Dec 2023 19:58:43 +0000 Subject: [PATCH 4/4] HOTT-4466: add sentry endpoint --- config/initializers/content_security_policy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index f370c0e1..c415fb2b 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -13,7 +13,7 @@ policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports - policy.report_uri ENV['SENTRY_DSN'] + policy.report_uri ENV['SENTRY_CSP_ENDPOINT'] if ENV['SENTRY_CSP_ENDPOINT'].present? end # # Generate session nonces for permitted importmap and inline scripts