Skip to content

WT-536: improve our CSP unsafe-inline config by making it tighter and more specific #16994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stevejalim wants to merge 2 commits into
base: main
Choose a base branch
from
Open

WT-536: improve our CSP unsafe-inline config by making it tighter and more specific #16994

stevejalim wants to merge 2 commits into from
+10 −4

Conversation

@stevejalim
Copy link
Contributor

@stevejalim stevejalim commented Jan 16, 2026

This changeset is an additional fixup around https://mozilla-hub.atlassian.net/browse/WT-536

It does a few things. My recommendation is to read the code first, then the rest of this description, so you are not swayed (and in case I've not got this right)

  1. for script-src, it only allows unsafe-inline for the Wagtail admin pages which are only enabled for the CMS deployment. This does not appear to affect anything else, but we really need to be sure (eg Transcend, GA, cookie banner)

  2. for style-src we had code that enabled unsafe-inline specifically for Transcend, but a few lines above we also had unsafe-inline set as a default. This changeset moves it so that style-src: unsafe-inline is only available if transcend is enabled.

Testing

I'd welcome a Slack chat about approaches here. I've pushed this branch to www-demo6.allizom.org where we can drive around and also try the CMS, but Transcend isn't enabled there - maybe we could enable it in demos too, tbc on @stephendherrera's blessing

@stevejalim
fix: Remove script-src: unsafe-inline for main Web deployment; reta…
6db6594 
…in for CMS deployment
@stevejalim
fix: ensure style-src: unsafe-inline is only available when Transce…
cd00db6 
…nd is enabled

Note that the previous cut of the code didn't add style-src: unsafe inline only
in Transcend mode: it was enabled all the time
@stevejalim stevejalim requested a review from a team as a code owner January 16, 2026 13:26
@codecov
Copy link

codecov bot commented Jan 16, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.08%. Comparing base (2ed16f3) to head (cd00db6).
⚠️ Report is 13 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #16994      +/-   ##
==========================================
+ Coverage   80.36%   81.08%   +0.72%     
==========================================
  Files         163      157       -6     
  Lines        9100     8313     -787     
==========================================
- Hits         7313     6741     -572     
+ Misses       1787     1572     -215

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stephaniehobson stephaniehobson Awaiting requested review from stephaniehobson

@stephendherrera stephendherrera Awaiting requested review from stephendherrera

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stevejalim