ubuntu.com feat: add security headers

Done

Added security headers.

Content-Security-Policy: Restrict resources (e.g., JavaScript, CSS, Images) and URLs
Referrer-Policy: Limit referrer data for security while preserving full referrer for same-origin requests
Cross-Origin-Embedder-Policy: allows embedding cross-origin resources
Cross-Origin-Opener-Policy: enable the page to open pop-ups while maintaining same-origin policy
Cross-Origin-Resource-Policy: allowing cross-origin requests to access the resource
X-Permitted-Cross-Domain-Policies: disallows cross-domain access to resources

QA

Open : https://ubuntu-com-14411.demos.haus/
Verify no security header error is shown in the console.
Verify all the images, videos, iframes and other resources are shown correctly
Verify there is no behavior change (such as a link doesnt open)
Open header analyzer
Verify Referrer-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy and X-Permitted-Cross-Domain-Policies headers arent missing

Issue / Card

Fixes #14446, #14447, #14448, #14449, #14450, #14451, #14452

Oct 11 '24 08:10 ilayda-cp

Demo

Jenkins

demos.haus

Oct 11 '24 08:10 webteam-app

I get on the homepage:

Refused to connect to 'https://region1.google-analytics.com/g/collect?v=2&tid=G-5LTL1CNEJM&gtm=45je4a90v882794756z871014405za200zb71014405&_p=1728640748304&gcs=G100&gcd=13p3p3p3p5l1&npa=1&dma_cps=-&dma=0&tag_exp=101671035~101686685&cid=258964618.1728640750&ul=en-gb&sr=2560x1440&uaa=x86&uab=64&uafvl=Google%2520Chrome%3B129.0.6668.70%7CNot%253DA%253FBrand%3B8.0.0.0%7CChromium%3B129.0.6668.70&uamb=0&uam=&uap=Linux&uapv=5.15.0&uaw=0&are=1&frm=0&pscdl=denied&_s=1&sid=1728640749&sct=1&seg=0&dl=https%3A%2F%2Fubuntu-com-14411.demos.haus%2F&dt=Enterprise%20Open%20Source%20and%20Linux%20%7C%20Ubuntu&en=impression&_fv=1&_nsi=1&_ss=1&ep.type=takeover&ep.impression_from=https%3A%2F%2Fubuntu-com-14411.demos.haus%2F&ep.impression_to=https%3A%2F%2Fubuntu.com%2Fblog%2Fcanonical-releases-ubuntu-24-10-oracular-oriole%3Futm_campaign%3Dtakeover&ep.impression_cta=read%20the%20press%20release&tfd=1938' because it violates the following Content Security Policy directive: "connect-src 'self'

Oct 11 '24 10:10 anthonydillon

@anthonydillon fixed it could you try again?

Oct 11 '24 11:10 ilayda-cp

I still get a Reused connection to https://region1.google-analytics.com. Do you need to wildcard the subdomain?

Oct 14 '24 18:10 anthonydillon

Also we need vimeo on this page: https://ubuntu-com-14411.demos.haus/16-04/azure

Oct 14 '24 18:10 anthonydillon

@usamabinnadeem-10 and @abhigyanghosh30 could you check creds and pro store on this demo please

Oct 14 '24 19:10 anthonydillon

In the checkout, the captcha seems to be broken

Oct 14 '24 19:10 abhigyanghosh30

@abhigyanghosh30 can you describe how you get that page?

Oct 15 '24 07:10 ilayda-cp

@abhigyanghosh30 can you describe how you get that page?

So to recreate the issue

Visit https://ubuntu-com-14411.demos.haus/pro/subscribe
Select any product combination and click on the buy button at the bottom

It will take you to /account/checkout which is where the error occurs

Oct 15 '24 07:10 abhigyanghosh30

Also we need vimeo on this page: https://ubuntu-com-14411.demos.haus/16-04/azure

@anthonydillon it might not related with the security headers beaceuse:

vimeo has already added to the frame-src
no blocked content warning is shown in the console or the network tab
i checked out to the main branch still have the same error

could you verify if its working for you locally on main?

Oct 15 '24 11:10 ilayda-cp

Fixed the captcha

Oct 15 '24 11:10 ilayda-cp

@abhigyanghosh30 @usamabinnadeem-10 could you give this branch another review in regards to CUE and Pro, please?

Nov 23 '24 08:11 anthonydillon

Can somebody review this?

Dec 09 '24 07:12 ilayda-cp

@abhigyanghosh30 @usamabinnadeem-10 could you give this branch another review in regards to CUE and Pro, please?

The Pro and CUE shop work now.

Dec 09 '24 08:12 abhigyanghosh30