Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add lux.speedcurve.com to connect_src CSP #232

Merged
merged 1 commit into from
Apr 7, 2022
Merged

Add lux.speedcurve.com to connect_src CSP #232

merged 1 commit into from
Apr 7, 2022

Commits on Apr 7, 2022

  1. Add lux.speedcurve.com to connect_src CSP 

    This commit implements the recommended Content Security Policy (CSP) for
SpeedCurve RUM (a.k.a. Lux.js) as per their documentation. We however
have not implemented their script source because we use a self hosted
version of RUM [2].

This adds connect_src as a mechanism to communicate with RUM, this is
needed because the previous method we used to record metrics, LUX.becaonMode,
has been removed from Speedcurve RUM as of version 300 [3] which used
images, whereas version 300 uses JS to send HTTP requests.

I'm not sure if there remains to be any value having an img_src entry
for lux.speedcurve.com as I'm not sure it is used beyond LUX.beaconMode,
however it is still referenced in their recommended CSP [1].

The motivation for making this change is that we are seeing intermittent
errors on the Smokey test suite, which presumably are occurring whenever
RUM gets used. Example error:

```
https://www.integration.publishing.service.gov.uk/?smokey_cachebust=0.40911524769922525 - [Report Only] Refused to connect to 'https://lux.speedcurve.com/lux/?v=300&id=47044334&sid=164914853971764200&uid=164914853971764200&l=Welcome%20to%20GOV.UK&NT=1649148539305fs0ds0de0cs0ce0qs1bs5be15ol11oi198os198oe213oc215ls215le215sr165fc165&LJS=&PS=ns7bs0is1051ss4bc2ic0ia0it3dd9nd567vh600vw785dh4717dw785ds11601ct4G_er0nt0dm4&CPU=s|0,n|0,d|0,x|0,i|165&fl=80&HN=www.integration.publishing.service.gov.uk&PN=%2F' because it violates the following Content Security Policy directive: "connect-src 'self' *.publishing.service.gov.uk *.integration.publishing.service.gov.uk www.gov.uk *.dev.gov.uk www.google-analytics.com ssl.google-analytics.com stats.g.doubleclick.net www.googletagmanager.com www.tax.service.gov.uk hmrc-uk.digital.nuance.com hmpowebchat.klick2contact.com omni.eckoh.uk www.signin.service.gov.uk".
```

[1]: https://support.speedcurve.com/docs/add-rum-to-your-csp
[2]: https://github.com/alphagov/govuk_publishing_components/blob/3674bf941cacbe97161f29ed63a349467d720eb2/docs/real-user-metrics.md
[3]: https://support.speedcurve.com/changelog/rum-update-luxjs-v300

Co-authored by: Kevin Dew <kevin.dew@digital.cabinet-office.gov.uk>
    @ollietreend @kevindew
    ollietreend authored and kevindew committed Apr 7, 2022
    Configuration menu
    Copy the full SHA
    494dd20 View commit details
    Browse the repository at this point in the history