Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP: remove Angular Templates #8700

Open
Matt-Yorkley opened this issue Jan 11, 2022 · 0 comments
Open

CSP: remove Angular Templates #8700

Matt-Yorkley opened this issue Jan 11, 2022 · 0 comments
Labels
security Pull requests that address a security vulnerability tech debt

Comments

@Matt-Yorkley
Copy link
Contributor

Matt-Yorkley commented Jan 11, 2022
edited
Loading

What we should change and why (this is tech debt)

We need to get to a place where we can remove the unsafe_eval directive from our CSP configuration in config/initializers/content_security_policy.rb. In order to do that we need to remove/replace a few things in the codebase (otherwise the app will be broken). The main one is our use of Angular Templates.

Removing and replacing our Angular Templates will be quite tricky but we can do it one bit at a time. As a bit of background, this functionality is provided by gem 'angular-rails-templates', '>= 0.3.0' in the Gemfile and the templates mostly live (at the time of writing) in /app/assets/javascripts/templates/*. They look like this:

openfoodnetwork/app/assets/javascripts/templates/authentication.html.haml

Lines 1 to 7 in 35c58ca

%div{"ng-controller" => "AuthenticationCtrl"}
%tabset
%ng-include{src: "'login.html'"}
%ng-include{src: "'signup.html'"}
%ng-include{src: "'forgot.html'"}
%a.close-reveal-modal{"ng-click" => "$close()"}
%i.ofn-i_009-close

Confusingly we also have a bunch of template directives scattered around under the app/views/* as well 🤕 They look like this:

openfoodnetwork/app/views/shopping_shared/tabs/_producers.html.haml

Lines 1 to 7 in 35c58ca

%script{ type: "text/ng-template", id: "shop/producers.html" }
.content#producers{"ng-controller" => "ProducersTabCtrl"}
.row
.small-12.columns
%h5
= t :shopping_producers_of_hub, hub: '{{ shopfront.name }}'
%ul.small-block-grid-1.medium-block-grid-2.large-block-grid-3

It's not simple to just remove these, we need to replace their functionality with completely different frontend implementations which solve. Hopefully we'll start to have more examples of how to do that nicely in the codebase soon, and it'll become more obvious what ditching these templates looks like in practise.

All of this stuff explodes unless unsafe_eval is used. We need to transition away from these Angular Templates, ultimately remove them completely, and then remove unsafe_eval from our CSP configuration.

Context

This came up as part of #8648

Impact and timeline

The impact is huge but the timeline is unlikely to be short.

When this is finished we should be able to remove the unsafe_eval directive from our CSP config and still have a green build.
@Matt-Yorkley Matt-Yorkley added tech debt security Pull requests that address a security vulnerability labels Jan 11, 2022
@Matt-Yorkley Matt-Yorkley changed the title CSP: remove Angualr Templates CSP: remove Angular Templates Jan 11, 2022
@Matt-Yorkley Matt-Yorkley mentioned this issue Jan 16, 2022
Merged
@Matt-Yorkley Matt-Yorkley mentioned this issue Jan 29, 2022
Merged
@cillian cillian mentioned this issue Mar 25, 2022
Merged
@cillian cillian mentioned this issue Dec 16, 2022
Merged
@cillian cillian mentioned this issue May 19, 2023
Closed
@github-project-automation github-project-automation bot moved this to All the things in OFN Delivery board Feb 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Pull requests that address a security vulnerability tech debt
Projects
OFN Delivery board
Status: All the things 💤
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Matt-Yorkley