Skip to content

csp: embed policy name in reports#1814

Closed
alxndrsn wants to merge 44 commits into
getodk:nextfrom
alxndrsn:csp-report-names
Closed

csp: embed policy name in reports#1814
alxndrsn wants to merge 44 commits into
getodk:nextfrom
alxndrsn:csp-report-names

Conversation

@alxndrsn
Copy link
Copy Markdown
Contributor

@alxndrsn alxndrsn commented Apr 15, 2026
edited
Loading

This should significantly simplify understanding of reports.

What has been done to verify that this works as intended?

Updated tests.

Why is this the best possible solution? Were any other approaches considered?

It makes every header bigger, so I've aimed to keep the additional data small.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Should not have a noticeable effect.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

  • branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
  • verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

alxndrsn
alxndrsn commented Apr 15, 2026
View reviewed changes
Comment thread files/nginx/odk.conf.template Outdated
alxndrsn
alxndrsn commented Apr 16, 2026
View reviewed changes
Comment thread nginx.dockerfile Outdated
alxndrsn
alxndrsn commented Apr 16, 2026
View reviewed changes
Comment thread test/nginx/src/mocha/nginx.spec.js Outdated
alxndrsn
alxndrsn commented Apr 20, 2026
View reviewed changes
Comment thread test/nginx/mock-sentry/index.js
@alxndrsn alxndrsn mentioned this pull request Apr 20, 2026
Merged
2 tasks
alxndrsn
alxndrsn commented Apr 20, 2026
View reviewed changes
Comment thread test/nginx/src/mocha/nginx.spec.js Outdated
alxndrsn
alxndrsn commented Apr 20, 2026
View reviewed changes
Comment thread test/nginx/src/mocha/nginx.spec.js
@alxndrsn alxndrsn marked this pull request as ready for review April 22, 2026 10:33
matthew-white
matthew-white reviewed Apr 23, 2026
View reviewed changes
Comment thread files/nginx/odk.conf.template
include /usr/share/odk/nginx/common-headers.conf;
}

location /csp-report {
Copy link
Copy Markdown
Member

@matthew-white matthew-white Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the removal of this line probably means that there's something to change about user docs. At https://docs.getodk.org/central-install-digital-ocean/#disabling-or-customizing-sentry, when describing how to disable Sentry, this line is referenced.

matthew-white
matthew-white reviewed Apr 23, 2026
View reviewed changes
Comment thread files/nginx/odk.conf.template
Comment on lines +218 to +225
location = /csp/b/err { include /usr/share/odk/nginx/csp.conf; }
location = /csp/r/err { include /usr/share/odk/nginx/csp.conf; }
location = /csp/b/fe { include /usr/share/odk/nginx/csp.conf; }
location = /csp/r/fe { include /usr/share/odk/nginx/csp.conf; }
location = /csp/b/wf { include /usr/share/odk/nginx/csp.conf; }
location = /csp/r/wf { include /usr/share/odk/nginx/csp.conf; }
location = /csp/b/XX { include /usr/share/odk/nginx/csp.conf; }
location = /csp/r/XX { include /usr/share/odk/nginx/csp.conf; }
Copy link
Copy Markdown
Member

@matthew-white matthew-white Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most of these make sense to me, but there are two that I don't fully understand:

  • err. I think this means: "The default Content Security Policy. It's supposed to be overridden, so if it's seen in Sentry, something unexpected has happened."
  • XX. In tests, I see this is related to backend-unmodified. I don't totally remember what backend-unmodified is for though. Would you mind jogging my memory? Is XX just for testing? Could it be renamed to test?

@matthew-white
Copy link
Copy Markdown
Member

matthew-white commented Apr 23, 2026

This should significantly simplify understanding of reports.

Just to make sure I understand this, I think it helps because it will surface the policy name in Sentry, because Sentry shows the full Content Security Policy, which includes the report-uri. Is that right?

@alxndrsn alxndrsn marked this pull request as draft April 29, 2026 11:41
@alxndrsn
Copy link
Copy Markdown
Contributor Author

alxndrsn commented May 5, 2026

Consider for the future. For now, other approaches have helped identify which policy is active.

@alxndrsn alxndrsn closed this May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matthew-white matthew-white matthew-white left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alxndrsn @matthew-white