#1649: remove CSP nonce from project (#1664)

* #1649: add new CSP nonce config to project

* remove include-nonce-in from settings

* drop all uses of nonce

* remove cspNonce from index.js

* revert formatting issue

Author: jaydonkrooss

assets/src/globals.js

@@ -5,11 +5,6 @@ import defaultPalette from './defaultPalette'
 const mylaGlobalsEl = document.getElementById('myla_globals')
 const mylaGlobals = mylaGlobalsEl ? JSON.parse(mylaGlobalsEl.textContent) : {}
 
-let cspNonce
-const cspMetaEl = document.querySelector('meta[name="csp-nonce"]')
-if (cspMetaEl !== null & cspMetaEl.hasAttribute('content')) {
-  cspNonce = cspMetaEl.getAttribute('content')
-}
 
 /*
 Frozen to prevent unintentional changes to this object. This object is strictly readonly.
@@ -55,4 +50,4 @@ const siteTheme = createTheme({
 })
 const gaId = mylaGlobals.google_analytics_id
 
-export { user, siteTheme, gaId, cspNonce, viewHelpURLs, surveyLink }
+export { user, siteTheme, gaId, viewHelpURLs, surveyLink }

assets/src/index.js

@@ -6,7 +6,7 @@ import './index.css'
 import App from './containers/App'
 import client from './service/client'
 import { ApolloProvider } from '@apollo/client'
-import { user, siteTheme, gaId, cspNonce } from './globals'
+import { user, siteTheme, gaId } from './globals'
 // import * as serviceWorker from './serviceWorker'
 
 const container = document.getElementById('root')
@@ -15,7 +15,7 @@ root.render(
   <Router basename='/'>
     <ApolloProvider client={client}>
       <ThemeProvider theme={siteTheme}>
-        <App user={user} gaId={gaId} cspNonce={cspNonce} />
+        <App user={user} gaId={gaId} />
       </ThemeProvider>
     </ApolloProvider>
   </Router>

config/env_sample.hjson

@@ -32,7 +32,6 @@
             "STYLE":["'unsafe-inline'", "*.umich.edu", "umich.edu", "*.ngrok-free.app"]
         },
         "UPGRADE_INSECURE_REQUESTS": false,
-        "INCLUDE_NONCE_IN": ["script-src"]
     },
     # default password length indicator incase of creating user from command line or LTI auto login
     "RANDOM_PASSWORD_DEFAULT_LENGTH": 32,

dashboard/settings.py

@@ -426,7 +426,6 @@ def apply_env_overrides(env: Dict[str, Any], environ: os._Environ) -> Dict[str,
             'connect-src': csp_sources["CONNECT"],
             'style-src': csp_sources["STYLE"],
             'upgrade-insecure-requests': csp_directives["UPGRADE_INSECURE_REQUESTS"],
-            'include-nonce-in': csp_directives["INCLUDE_NONCE_IN"]
         }
     }
 # If CSP not set, add in XFrameOptionsMiddleware

dashboard/templates/base.html

@@ -3,11 +3,11 @@
 
 <!DOCTYPE html>
 <html lang="en" xmlns="http://www.w3.org/1999/html">
+
 <head>
     <meta charset="utf-8">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1">
-    <meta name="csp-nonce" content="{{ request.csp_nonce }}">
     <title>{% block title %}{% endblock %}</title>
     <link rel="stylesheet" type="text/css" href="{% static 'fontawesomefree/css/all.min.css' %}">
     <script src="{% static 'fontawesomefree/js/all.min.js' %}"></script>
@@ -41,7 +41,7 @@
             privacyUrl: false
         };
     </script>
-    <script async nonce="{{ request.csp_nonce }}" src="https://umich.edu/apis/umconsentmanager/consentmanager.js"></script> 
+    <script async src="https://umich.edu/apis/umconsentmanager/consentmanager.js"></script> 
 </head>
 <body>
     {% include "su/is_su.html" %}
@@ -77,4 +77,4 @@
         </table>
     </footer>
 </body>
-</html>
+</html>