Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Speedcurve's LUX from connect-src policy #216

Merged
merged 2 commits into from
Feb 1, 2022
Merged

Remove Speedcurve's LUX from connect-src policy #216

merged 2 commits into from
Feb 1, 2022

Conversation

injms
Copy link
Contributor

@injms injms commented Nov 10, 2021
edited
Loading

What

Removes the domain the LUX uses for reporting real user metrics from the connect-src content security policy.

Reverts #206.

Why

The domain was originally added because although an image was being used to report the metrics, the image was being served with a content type of application/javascript. This meant the loading of the image was being blocked, which prevented any metrics from being reported.

This rule can now be removed from the connect-src set of rules as the content type is now image/webp:

Screenshot 2021-11-10 at 11 11 46

and is allowed as the domain is in the img-src policy:

govuk_app_config/lib/govuk_app_config/govuk_content_security_policy.rb

Lines 36 to 38 in a6db8fc

# Allow images to be loaded for Speedcurve's LUX - used for
# getting real user metrics on GOV.UK
"lux.speedcurve.com"

@injms injms marked this pull request as ready for review November 10, 2021 11:18
@injms injms mentioned this pull request Nov 10, 2021
Closed
3 tasks
alex-ju
alex-ju approved these changes Jan 31, 2022
View reviewed changes
Copy link
Contributor

@alex-ju alex-ju left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't forget to rebase for the changelog

@injms injms force-pushed the remove-lux-from-connect-src branch from a6db8fc to dd3341f Compare February 1, 2022 10:54
@injms
Copy link
Contributor Author

injms commented Feb 1, 2022

Rebased against main and force pushed.

@injms injms merged commit cb68d2a into main Feb 1, 2022
@injms injms deleted the remove-lux-from-connect-src branch February 1, 2022 10:55
@injms injms mentioned this pull request Feb 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alex-ju alex-ju alex-ju approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@injms @alex-ju