Add lux.speedcurve.com to connect_src CSP #232
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'm leaving this as a draft PR because I'm just about to go on leave, so won't be able to take this forward. However I'm tagging @kevindew who might be interested in picking up the baton. |
kevindew
force-pushed
the
add-speedcurve-csp
branch
2 times, most recently
from
cbefcbe
to
07685a7
Compare
kevindew
changed the title
kevindew
force-pushed
the
add-speedcurve-csp
branch
from
07685a7
to
d269436
Compare
theseanything
approved these changes
Apr 7, 2022
This commit implements the recommended Content Security Policy (CSP) for SpeedCurve RUM (a.k.a. Lux.js) as per their documentation. We however have not implemented their script source because we use a self hosted version of RUM [2]. This adds connect_src as a mechanism to communicate with RUM, this is needed because the previous method we used to record metrics, LUX.becaonMode, has been removed from Speedcurve RUM as of version 300 [3] which used images, whereas version 300 uses JS to send HTTP requests. I'm not sure if there remains to be any value having an img_src entry for lux.speedcurve.com as I'm not sure it is used beyond LUX.beaconMode, however it is still referenced in their recommended CSP [1]. The motivation for making this change is that we are seeing intermittent errors on the Smokey test suite, which presumably are occurring whenever RUM gets used. Example error: ``` https://www.integration.publishing.service.gov.uk/?smokey_cachebust=0.40911524769922525 - [Report Only] Refused to connect to 'https://lux.speedcurve.com/lux/?v=300&id=47044334&sid=164914853971764200&uid=164914853971764200&l=Welcome%20to%20GOV.UK&NT=1649148539305fs0ds0de0cs0ce0qs1bs5be15ol11oi198os198oe213oc215ls215le215sr165fc165&LJS=&PS=ns7bs0is1051ss4bc2ic0ia0it3dd9nd567vh600vw785dh4717dw785ds11601ct4G_er0nt0dm4&CPU=s|0,n|0,d|0,x|0,i|165&fl=80&HN=www.integration.publishing.service.gov.uk&PN=%2F' because it violates the following Content Security Policy directive: "connect-src 'self' *.publishing.service.gov.uk *.integration.publishing.service.gov.uk www.gov.uk *.dev.gov.uk www.google-analytics.com ssl.google-analytics.com stats.g.doubleclick.net www.googletagmanager.com www.tax.service.gov.uk hmrc-uk.digital.nuance.com hmpowebchat.klick2contact.com omni.eckoh.uk www.signin.service.gov.uk". ``` [1]: https://support.speedcurve.com/docs/add-rum-to-your-csp [2]: https://github.com/alphagov/govuk_publishing_components/blob/3674bf941cacbe97161f29ed63a349467d720eb2/docs/real-user-metrics.md [3]: https://support.speedcurve.com/changelog/rum-update-luxjs-v300 Co-authored by: Kevin Dew <kevin.dew@digital.cabinet-office.gov.uk>
kevindew
force-pushed
the
add-speedcurve-csp
branch
from
d269436
to
494dd20
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit implements the recommended Content Security Policy (CSP) for
SpeedCurve RUM (a.k.a. Lux.js) as per their documentation. We however
have not implemented their script source because we use a self hosted
version of RUM 2.
This adds connect_src as a mechanism to communicate with RUM, this is
needed because the previous method we used to record metrics, LUX.becaonMode,
has been removed from Speedcurve RUM as of version 300 3 which used
images, whereas version 300 uses JS to send HTTP requests.
I'm not sure if there remains to be any value having an img_src entry
for lux.speedcurve.com as I'm not sure it is used beyond LUX.beaconMode,
however it is still referenced in their recommended CSP 1.
The motivation for making this change is that we are seeing intermittent
errors on the Smokey test suite, which presumably are occurring whenever
RUM gets used. Example error:
This should resolve alphagov/govuk_publishing_components#2717.