feat: Enable CSP with nonce + strict-dynamic #360

andreituicu · 2025-02-27T10:31:40Z

Description

Tryout a content security policy with nonce + strict-dynamic.

Motivation and Context

This is to help mitigate the risk of XSS.
A more in detail (but not exhaustive) description of what should be protected and what not can be found in adobe/helix-html-pipeline#773 .

Note: currently the nonce generation is Helix 5 only.
As far as I can see, da.live is currently using Helix 4, so it would either need an upgrade of DA to Helix 5, or the backport of the feature to Helix 4 to be deployed (adobe/helix-html-pipeline#811)

How Has This Been Tested?

Manually on https://csp--da-live--adobe.aem.live/ .
I did not observe any CSP violations in the navigation or editor.
Would be interesting if there are any additional automated tests that can be executed.
LE.: looks like the playwright tests from the PR are passing. 🙂

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

I have signed the Adobe Open Source CLA.
My code follows the code style of this project.
My change requires a change to the documentation.
I have updated the documentation accordingly.
I have read the CONTRIBUTING document.
I have added tests to cover my changes.
All new and existing tests passed.

aem-code-sync · 2025-02-27T10:31:44Z

Hello, I'm the AEM Code Sync Bot and I will run some actions to deploy your branch and validate page speed.
In case there are problems, just click a checkbox below to rerun the respective action.