chore: Eliminate unnecessary CSP directives #3270

Scotchester · 2025-11-05T00:47:25Z

script-src: code.jquery.com and style-src: unsafe-inline were both required only by the django-google-sso UI. This PR overrides the package's template and styling to eliminate the need for those.

Closes #3257

~~To do before finalizing: Review CSP errors in Sentry.~~

github-actions · 2025-11-05T00:48:04Z

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
benefits
settings.py
Project Total

_{This report was generated by python-coverage-comment-action}

Scotchester · 2025-11-05T16:59:28Z

Investigated the three unresolved CSP errors in Sentry. Found that some appear to only apply to browser extensions, some apply to what was already fixed in this PR, and the third I fixed with the second commit here. Ready for review!

jgravois · 2025-11-05T23:26:40Z

benefits/settings.py

            "https://cdn.amplitude.com/libs/",
            "https://cdn.jsdelivr.net/",
            "*.littlepay.com",
-            "https://code.jquery.com/jquery-3.6.0.min.js",


since we aren't using jquery in the admin login page anymore, can/should we revisit this code comment?

benefits/benefits/templates/admin/login.html

Lines 9 to 10 in c6af905

{% comment %} Overriding instead of extending agency-base here to remove jQuery declaration, which admin/login.html includes on its own {% endcomment %}

{% include "core/includes/analytics.html" with api_key=analytics.api_key uid=analytics.uid did=analytics.did %}

Good catch! I tried cross-referencing the history of that comment being added with what Django seems to be doing now and couldn't pull together a complete picture, but it's clear that we aren't adding our own jQuery anywhere in the admin, so I see no reason for this comment to remain.

I'll add in my two cents too that this comment probably was referring to how django-google-sso loads in jQuery 3.6.0 in its template, so all good to remove it.

jgravois · 2025-11-06T23:17:01Z

alright, main is unborked now so the next time you push a commit to this branch i expect you'll see ✅ again. sorry for the inconvenience!

benefits/static/css/admin/styles.css

benefits/templates/google_sso/login_sso.html

benefits/static/css/admin/styles.css

benefits/templates/google_sso/login_sso.html

angela-tran

I've finished reviewing this. One last note is that 912c1ae contained several changes in it and could've been easier to review if broken out into more atomic commits. But aside from that, this looks good to me!

I left a question on a minor thing with leaving behind a console.log line and plan to approve once that's resolved. Nice work!

jgravois

i learned a lot reading up on CSP to be able to make sense of this PR. very cool! 🏂

benefits/templates/google_sso/login_sso.html

jgravois · 2025-11-07T22:40:22Z

benefits/settings.py

    "DIRECTIVES": {
        "base-uri": [NONE],
-        "connect-src": [SELF, "https://api.amplitude.com/"],
+        "connect-src": [SELF, "https://api.amplitude.com/", "https://cdn.jsdelivr.net/"],


i'm fine with this change, but i wonder where exactly sentry caught out bootstrap trying to call fetch() or one of its friends...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/connect-src

I mentioned it in the commit's extended description, but it was requests for source maps! Presumably triggered by us looking at things with dev tools.

ah, good sleuthin 🕵️

Scotchester · 2025-11-07T23:07:25Z

Thanks for the reviews! I agree that I could have made the commits a bit more atomic for easier review.

I also should have generally commented more about my thought process in the PR description. I think that's partly still getting used to the process of putting up a draft PR and then later making it ready for review. I'll try to do better :)

To quickly summarize how it went:

In our codebase, the only inline style is in this Google logo SVG
But removing that breaks the button styling a bit
Looking at the existing markup and style to figure out best how to un-break it, I saw that there was also an inline style block and inline script block in the package's template, which we can't add a nonce to
Therefore we needed to start from a place of overriding the package's template to get rid of those unsafe blocks
We also had a somewhat large number of styles, overriding a lot of what the package provided
And wow, the button markup that the package provides is way more complicated than it needs to be
Therefore I concluded that the best path forward was rewrite the markup and simplify the styles accordingly, leaving in the ability to add buttons for additional SSO providers

I'll update this on Monday for a final review! (Or pause until after the sprint?)

benefits/settings.py

benefits/templates/google_sso/login_sso.html

benefits/static/css/admin/styles.css

angela-tran · 2025-11-25T23:43:25Z

From Slack

Angela: @Scott Cranfill I could take over that CSP ticket if that would make sense
Scott Cranfill: If you want to, that'd be great! Looks like it's just removing a leftover console.log, a typo fix, and John's suggestion to add specificity to the cdn.jsdelivr.net rule.

All those items have been addressed, and I rebased this branch on top of main to resolve conflicts and squash some commits. Last thing is to check that Littlepay and Switchio enrollment still works (they use jquery and @switchio..., respectively).

benefits/settings.py

angela-tran · 2025-12-01T20:32:11Z

Enrollment worked for me locally -- tested with QA environments for Littlepay and Switchio.

angela-tran · 2025-12-01T20:52:45Z

LP + Switchio enrollment still works with updated connect-src

script-src: code.jquery.com and style-src: unsafe-inline were both required only by the django-google-sso UI. This commit overrides the package's template and styling to eliminate the need for those.

To resolve CSP errors trying to resolve source maps for minified Bootstrap assets. See: https://sentry.calitp.org/organizations/sentry/issues/85947/?project=3

Co-authored-by: john gravois <[email protected]>

angela-tran · 2025-12-01T20:57:39Z

@thekaveman @lalver1 This is ready for review

github-actions bot added the front-end HTML/CSS/JavaScript and Django templates label Nov 5, 2025

github-actions bot assigned Scotchester Nov 5, 2025

github-actions bot added back-end Django views, sessions, middleware, models, migrations etc. and removed front-end HTML/CSS/JavaScript and Django templates labels Nov 5, 2025

Scotchester force-pushed the chore/rm-style-src-unsafe-inline branch from ba1b276 to adfec05 Compare November 5, 2025 16:57

Scotchester marked this pull request as ready for review November 5, 2025 16:59

Scotchester requested a review from a team as a code owner November 5, 2025 16:59

jgravois reviewed Nov 5, 2025

View reviewed changes

angela-tran reviewed Nov 6, 2025

View reviewed changes

benefits/static/css/admin/styles.css Outdated Show resolved Hide resolved