Reviewed and updated CSP rules

[david-yz-liu]

Proposed Changes

(Describe your changes here. Also describe the motivation for your changes: what problem do they solve, or how do they improve the application or codebase? If this pull request fixes an open issue, use a keyword to link this pull request to the issue.)

This pull request makes a few modifications to the codebase to improve our use of Content Security Policies (CSP).

Fixed violations

There were two existing violations of the script-src policy, in which a Javascript eval was used.

• heic2any was creating workers on module load (see https://github.com/alexcorvi/heic2any/blob/master/build/build.ts#L29), which triggered on every page. I modified this to import heic2any lazily when it is required, on the pages which already have a CSP exception built in (e.g., ResultsController#edit).
• ajv was creating a validator at the module top-level, which triggered on every page load. I modified this to only create the validator when the AutotestManager component is used.
• Our table loading spinner was using styled-components, which needed a nonce to be set. I added the nonce as a <meta> tag in the _head.html.erb layout.
  • This had the effect of causing the spinner to animate correctly in Firefox; I also added a justify-content rule to ensure that the spinner was centered in the table.
• In app/views/groups/assign_scans.html.erb, inline style was used. I replaced this with a class.
• However, other libraries also use inline styles. I enabled policy.style_src_attr :unsafe_inline, allowing for inline style attributes to be added to HTML elements.

Webpack source maps

We currently use Webpack's inline-source-map format for generating source maps in development. This was causing issues loading the source maps on Firefox. I changed this to eval-source-map, which avoids the loading issue and is faster to rebuild when changes are made. This required adding policy.script_src :unsafe_eval to the development environment.

Other changes

In config/initializers/content_security_policy.rb I added the rules policy.font_src :self and policy.object_src :none (Rails defaults), and policy.worker_src :self, :blob (rather than rely on the child-src fallback).

I also updated the comments to remove the reference to Bullet (as we are not using Bullet to inject HTML) and provide an explanation for the use of policy.script_src "'strict-dynamic'" due to @rails/ujs.

Screenshots of your changes (if applicable)

Associated documentation repository pull request (if applicable)

Type of Change

(Write an X or a brief description next to the type or types that best describe your changes.)

Type	Applies?
🚨 Breaking change (fix or feature that would cause existing functionality to change)
✨ New feature (non-breaking change that adds functionality)
🐛 Bug fix (non-breaking change that fixes an issue)
🎨 User interface change (change to user interface; provide screenshots)
♻️ Refactoring (internal change to codebase, without changing functionality)	X
🚦 Test update (change that only adds or modifies tests)
📦 Dependency update (change that updates a dependency)
🔧 Internal (change that only affects developers or continuous integration)	X

Checklist

(Complete each of the following items for your pull request. Indicate that you have completed an item by changing the [ ] into a [x] in the raw text, or by clicking on the checkbox in the rendered description on GitHub.)

Before opening your pull request:

• I have performed a self-review of my changes.
  • Check that all changed files included in this pull request are intentional changes.
  • Check that all changes are relevant to the purpose of this pull request, as described above.
• I have added tests for my changes, if applicable.
  • This is required for all bug fixes and new features.
• I have updated the project documentation, if applicable.
  • This is required for new features.
• If this is my first contribution, I have added myself to the list of contributors.

After opening your pull request:

• I have updated the project Changelog (this is required for all changes).
• I have verified that the pre-commit.ci checks have passed.
• I have verified that the CI tests have passed.
• I have reviewed the test coverage changes reported by Coveralls.
• I have requested a review from a project maintainer.

Questions and Comments

(Include any questions or comments you have regarding your changes.)

[coveralls]

Coverage Report for CI Build 25996098347

Coverage decreased (-0.003%) to 90.184%

Details

• Coverage decreased (-0.003%) from the base build.
• Patch coverage: 3 uncovered changes across 2 files (9 of 12 lines covered, 75.0%).
• No coverage regressions found.

Uncovered Changes

File	Changed	Covered	%
config/initializers/content_security_policy.rb	11	9	81.82%
app/javascript/Components/Result/image_viewer.jsx	1	0	0.0%

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	49633
Covered Lines:	45730
Line Coverage:	92.14%
Relevant Branches:	2151
Covered Branches:	971
Branch Coverage:	45.14%
Branches in Coverage %:	Yes
Coverage Strength:	128.07 hits per line

---

💛 - Coveralls