Skip to content

Commit 68d7cd7

Browse files
igbanamcursoragent
andauthored
Reduce CSP inline style violations in drug stock webviews (#5786)
<!-- CURSOR_AGENT_PR_BODY_BEGIN --> **Story card:** [SIMPLEBACK-95](https://rtsl.atlassian.net/browse/SIMPLEBACK-95) ## Because `style-src-attr` and `style-src-elem` CSP [violations](https://resolve-to-save-lives.sentry.io/organizations/resolve-to-save-lives/issues/3586002970/) are among the highest-volume Sentry errors for Simple Server, with a large concentration on the webview drug stock pages. ## This addresses - Adds CSP nonce attributes to helper-generated inline assets: - `inline_stylesheet` - `inline_js` - Removes inline `style="..."` attributes from the highest-traffic webview templates: - `app/views/webview/drug_stocks/new.html.erb` - `app/views/webview/drug_stocks/index.html.erb` - Adds a CSP nonce to the inline script in `webview/drug_stocks/new`. - Removes inline `style` attributes from SVG assets used on that flow: - `app/assets/images/chevron-left.svg` - `app/assets/images/check-mark-small.svg` ## Test instructions 1. Open the drug stock webview pages: - `/webview/drug_stocks/new` - `/webview/drug_stocks` 2. Verify both pages render correctly (buttons, footer spacing, icons). 3. Inspect page source/DOM and confirm there are no inline `style="..."` attributes on the modified elements. 4. Confirm helper-generated inline `<style>` / `<script>` tags include a `nonce` attribute. 5. Monitor Sentry issues `SIMPLE-SERVER-1RQ` and `SIMPLE-SERVER-1RR` after deploy for a drop in new events. Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Igbanam <igbanam@users.noreply.github.com>
1 parent 5637546 commit 68d7cd7

5 files changed

Lines changed: 16 additions & 11 deletions

File tree

Lines changed: 1 addition & 1 deletion
Loading

app/assets/images/chevron-left.svg

Lines changed: 1 addition & 1 deletion
Loading

app/helpers/assets_helper.rb

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
module AssetsHelper
2+
def csp_nonce_attributes
3+
nonce = respond_to?(:content_security_policy_nonce) ? content_security_policy_nonce : nil
4+
nonce.present? ? {nonce: nonce} : {}
5+
end
6+
27
def inline_file(asset_name)
38
if (asset = Rails.application.assets&.find_asset(asset_name))
49
asset.source.html_safe
@@ -9,11 +14,11 @@ def inline_file(asset_name)
914
end
1015

1116
def inline_js(asset_name)
12-
content_tag(:script, inline_file(asset_name), type: "text/javascript")
17+
content_tag(:script, inline_file(asset_name), {type: "text/javascript"}.merge(csp_nonce_attributes))
1318
end
1419

1520
def inline_stylesheet(asset_name)
16-
content_tag(:style, inline_file(asset_name), type: "text/css")
21+
content_tag(:style, inline_file(asset_name), {type: "text/css"}.merge(csp_nonce_attributes))
1722
end
1823

1924
def inline_svg(asset_name, classname: "svg-container")

app/views/webview/drug_stocks/index.html.erb

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!DOCTYPE html>
2-
<html lang="en" style="scroll-behavior: auto;">
2+
<html lang="en">
33
<head>
44
<meta charset="utf-8">
55
<meta name="HandheldFriendly" content="True">
@@ -13,8 +13,8 @@
1313
<%= inline_stylesheet("user_analytics.css") %>
1414
</head>
1515
<body id="progress">
16-
<div class="p-fixed b-0 l-0 zi-100 w-100 p-8px bgc-blue-light bs-border-box bs-fixed-card" style="padding-bottom: 12px;">
17-
<a href="simple://progress-tab" class="d-block w-100 p-16px ta-center bgc-blue tt-uppercase ls-1_25px br-4px fs-16px b-none bs-primary-button bs-border-box" style="font-weight: 700; color: #ffffff;">
16+
<div class="p-fixed b-0 l-0 zi-100 w-100 p-8px pb-12px bgc-blue-light bs-border-box bs-fixed-card">
17+
<a href="simple://progress-tab" class="d-block w-100 p-16px ta-center fw-bold c-white bgc-blue tt-uppercase ls-1_25px br-4px fs-16px b-none bs-primary-button bs-border-box">
1818
Done
1919
</a>
2020
</div>
@@ -31,7 +31,7 @@
3131
See stock in estimated patient days below
3232
</p>
3333
</div>
34-
<h3 class="m-0px p-0px pl-16px pb-12px ta-left fw-medium fs-18px c-grey" style="color: #82878F;">
34+
<h3 class="m-0px p-0px pl-16px pb-12px ta-left fw-medium fs-18px c-grey">
3535
Report for end of <%= @for_end_of_month.to_s(:mon_year) %>
3636
</h3>
3737
<% @drugs_by_category.each do |category, drugs| %>

app/views/webview/drug_stocks/new.html.erb

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -118,15 +118,15 @@
118118
<% end %>
119119
<% end %>
120120
</div>
121-
<div class="p-fixed b-0 l-0 zi-100 w-100 p-8px bgc-blue-light bs-border-box bs-fixed-card" style="padding-bottom: 12px;">
122-
<%= form.button "SAVE", class: "d-block w-100 p-16px ta-center bgc-blue tt-uppercase ls-1_25px br-2px fs-16px b-none bs-primary-button bs-border-box", style: "font-weight: 700; color: #ffffff;" %>
121+
<div class="p-fixed b-0 l-0 zi-100 w-100 p-8px pb-12px bgc-blue-light bs-border-box bs-fixed-card">
122+
<%= form.button "SAVE", class: "d-block w-100 p-16px ta-center fw-bold c-white bgc-blue tt-uppercase ls-1_25px br-2px fs-16px b-none bs-primary-button bs-border-box" %>
123123
</div>
124124
<% end %>
125125
</div>
126126
</div>
127127
</div>
128128
</body>
129-
<script type="text/javascript" charset="utf-8">
129+
<script type="text/javascript" charset="utf-8" nonce="<%= content_security_policy_nonce %>">
130130
window.addEventListener("load", function() {
131131
let monthSelect = document.getElementById("for_end_of_month");
132132
monthSelect.addEventListener("change", function(e) {

0 commit comments

Comments
 (0)