porta
porta copied to clipboard
3scale
THREESCALE-10688: Fix Rapidast warnings
What this PR does / why we need it:
Running Rapidast against porta reveals two errors:
Billing API:
Job openapi target: https://3scale-admin.DOMAIN/ error: attribute paths.'/api/invoices/{id}.xml'(put).requestBody.content.'application/x-www-form-urlencoded'.encoding.field_definitions is unexpected
All APIs and UI:
Content Security Policy (CSP) Header Not Set
This PR fixes both warnings.
EDIT: After some comments, this is the implemented CSP:
- Admin portal:
- Fonts, images, scritps and styles allowed from
:selfand CDN - All AJAX connections allowed
- Everything else only allowed from
:self
- Fonts, images, scritps and styles allowed from
- Developer portal:
- Everything allowed
Which issue(s) this PR fixes
https://issues.redhat.com/browse/THREESCALE-10688
Verification steps
Run Rapidast an ensure the warnings are gone.
Special notes for your reviewer:
https://github.com/3scale/porta/commit/31e4f510fe4ee034ad2a0c16d0629eaf2fac104c:
The Billing API warning is only a validation error, because content.encoding must mention a property in content.schema, and field_definitions is not. Check the reference.
https://github.com/3scale/porta/commit/4d4d88413fde89ef0cdd393d5eb0ecfd32655a2d: The CSP error is legit, we don't have CSP enabled for porta. Fortunately, Rails provides a feature to enable it easily. Read the docs and the code.
Some useful links about CSP:
- https://content-security-policy.com/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources
