Skip to content
This repository has been archived by the owner on Sep 11, 2024. It is now read-only.

Fix CSP problems due to cypress-axe #10843

Merged
merged 4 commits into from
May 11, 2023
Merged

Fix CSP problems due to cypress-axe #10843

merged 4 commits into from
May 11, 2023

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented May 10, 2023
edited by github-actions bot
Loading

Currently, if you try to run the cypress tests without patching the application, you get an error about the CSP:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval' https://www.recaptcha.net/recaptcha/ https://www.gstatic.com/recaptcha/".

This is because cypress-axe uses an eval call to inject Axe into the application under test, which is forbidden by our CSP.

To solve this, rewrite injectAxe so that injects a <script> element instead.

This change is marked as an internal change (Task), so will not be included in the changelog.

@richvdh
Fix CSP problems due to cypress-axe
a2b8bf9 
Rewrite `injectAxe` to use a script tag instead of an `eval`.
@richvdh richvdh requested a review from a team as a code owner May 10, 2023 13:53
@richvdh richvdh requested review from andybalaam and weeman1337 May 10, 2023 13:53
@richvdh richvdh added the T-Task Refactoring, enabling or disabling functionality, other engineering tasks label May 10, 2023
@richvdh
Copy link
Member Author

richvdh commented May 10, 2023

We might be able to get rid of the hacks in the GHA workflow (

matrix-react-sdk/.github/workflows/cypress.yaml

Lines 138 to 140 in a2b8bf9

# This is necessary as Cypress relies on eval for passing functions between processes
- name: Allow CSP script-src unsafe-eval
run: sed -i "s/script-src /script-src 'unsafe-eval' /" webapp/index.html
) once this lands

t3chguy
t3chguy approved these changes May 10, 2023
View reviewed changes
Copy link
Member

@t3chguy t3chguy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😍

Can we also ditch the CSP modifying sed line? Allow CSP script-src unsafe-eval

@t3chguy
Copy link
Member

t3chguy commented May 10, 2023

once this lands

Shouldn't need to wait, the workflow runs off the default branch so runs for this PR will have both your fix and the sed, once it lands just your fix.

@richvdh richvdh requested a review from a team as a code owner May 10, 2023 13:57
@richvdh richvdh enabled auto-merge May 10, 2023 15:29
@richvdh richvdh added this pull request to the merge queue May 11, 2023
Merged via the queue into develop with commit 3c32ad7 May 11, 2023
@richvdh richvdh deleted the rav/fix_axe branch May 11, 2023 12:38
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@t3chguy t3chguy t3chguy approved these changes

@andybalaam andybalaam Awaiting requested review from andybalaam andybalaam is a code owner automatically assigned from matrix-org/element-web-reviewers

@weeman1337 weeman1337 Awaiting requested review from weeman1337 weeman1337 is a code owner automatically assigned from matrix-org/element-web-reviewers

Assignees
No one assigned
Labels
T-Task Refactoring, enabling or disabling functionality, other engineering tasks
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@richvdh @t3chguy