chore: add integrity attribute to external links (#2215)

* remove redundant link this is bundled with Metro now! * chore(DotcomWeb): import all helpers * chore: add integrity attribute
mbta · Nov 7, 2024 · e730666 · e730666
1 parent db0878a
commit e730666
Show file tree

Hide file tree

Showing 16 changed files with 244 additions and 159 deletions.
diff --git a/config/runtime.exs b/config/runtime.exs
@@ -222,7 +222,7 @@ case config_env() do
              [
                "default-src 'none'",
                "img-src 'self' cdn.mbta.com #{System.get_env("STATIC_HOST", "")} #{System.get_env("CMS_API_BASE_URL", "")} px.ads.linkedin.com www.linkedin.com www.facebook.com *.google.com *.googleapis.com *.gstatic.com *.s3.amazonaws.com data: i.ytimg.com www.googletagmanager.com *.arcgis.com",
-               "style-src 'self' 'unsafe-inline' www.gstatic.com #{System.get_env("STATIC_HOST", "")} cdn.jsdelivr.net",
+               "style-src 'self' 'unsafe-inline' www.gstatic.com #{System.get_env("STATIC_HOST", "")}",
                "script-src 'self' 'unsafe-eval' 'unsafe-inline' #{System.get_env("STATIC_HOST", "")} insitez.blob.core.windows.net snap.licdn.com connect.facebook.net www.instagram.com www.google-analytics.com *.google.com www.gstatic.com www.googletagmanager.com *.googleapis.com data.mbta.com *.arcgis.com",
                "font-src 'self' #{System.get_env("STATIC_HOST", "")}",
                "connect-src 'self' wss://#{host} #{sentry_dsn_host || ""} *.googleapis.com analytics.google.com www.google-analytics.com www.google.com px.ads.linkedin.com stats.g.doubleclick.net *.arcgis.com *.s3.amazonaws.com",

diff --git a/lib/dotcom/body_tag.ex b/lib/dotcom/body_tag.ex
@@ -9,17 +9,7 @@ defmodule Dotcom.BodyTag do
     UI elements.
   """
 
-  alias PhoenixHTMLHelpers.Tag
-
-  @spec render(Plug.Conn.t()) :: Phoenix.HTML.Safe.t()
-  def render(conn) do
-    Tag.tag(
-      :body,
-      class: class_name(conn)
-    )
-  end
-
-  defp class_name(conn) do
+  def class_name(conn) do
     [
       javascript_class(),
       mticket_class(conn),

diff --git a/lib/dotcom_web.ex b/lib/dotcom_web.ex
@@ -75,6 +75,7 @@ defmodule DotcomWeb do
           project_path: 3,
           project_update_path: 3,
           project_update_path: 4,
+          static_integrity: 2,
           static_url: 2
         ]
 
@@ -135,11 +136,11 @@ defmodule DotcomWeb do
       use MbtaMetro
 
       import DotcomWeb.{Components, ErrorHelpers}
+      import DotcomWeb.Router.Helpers, except: [static_url: 2]
       import Phoenix.{HTML, LiveView.Helpers, View}
       import PhoenixHTMLHelpers.Form, except: [label: 1]
       import PhoenixHTMLHelpers.{Format, Link, Tag}
 
-      alias DotcomWeb.Router.Helpers
       alias Phoenix.LiveView.JS
 
       # Routes generation with the ~p sigil

diff --git a/lib/dotcom_web/live/admin.ex b/lib/dotcom_web/live/admin.ex
@@ -8,12 +8,12 @@ defmodule DotcomWeb.Live.Admin do
        :admin_features,
        [
          %{
-           url: Helpers.live_path(socket, DotcomWeb.Live.Admin.TripPlanFeedback),
+           url: live_path(socket, DotcomWeb.Live.Admin.TripPlanFeedback),
            title: "Trip Planner Feedback",
            description: "Find and download the latest comments and votes."
          },
          %{
-           url: Helpers.live_path(socket, DotcomWeb.Live.TripPlanner),
+           url: live_path(socket, DotcomWeb.Live.TripPlanner),
            title: "Trip Planner Preview",
            description: "WIP on the trip planner rewrite."
          }

diff --git a/lib/dotcom_web/templates/fare/proposed_sales_locations.html.heex b/lib/dotcom_web/templates/fare/proposed_sales_locations.html.heex
@@ -33,7 +33,11 @@
         <script defer src={"#{Application.get_env(:dotcom, :webpack_path)}/tnm.js"}>
         </script>
       <% else %>
-        <script defer src={static_url(@conn, "/js/tnm.js")}>
+        <script
+          defer
+          src={static_url(@conn, "/js/tnm.js")}
+          integrity={static_integrity(@conn, "/js/tnm.js")}
+        >
         </script>
       <% end %>
     </div>

diff --git a/lib/dotcom_web/templates/fare/retail_sales_locations.html.heex b/lib/dotcom_web/templates/fare/retail_sales_locations.html.heex
@@ -18,7 +18,11 @@
         <script defer src={"#{Application.get_env(:dotcom, :webpack_path)}/tnm.js"}>
         </script>
       <% else %>
-        <script defer src={static_url(@conn, "/js/tnm.js")}>
+        <script
+          defer
+          src={static_url(@conn, "/js/tnm.js")}
+          integrity={static_integrity(@conn, "/js/tnm.js")}
+        >
         </script>
       <% end %>
     </div>

diff --git a/lib/dotcom_web/templates/layout/_google_translate_plugin.html.eex b/lib/dotcom_web/templates/layout/_google_translate_plugin.html.eex
@@ -13,4 +13,4 @@
       layout: null, gaTrack: true, gaId: <%= tag_id %>}, "google_translate_element");
   }
 </script>
-<script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>
+<script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit" integrity={static_integrity(@conn, "//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit")}></script>
diff --git a/lib/dotcom_web/templates/layout/admin.html.heex b/lib/dotcom_web/templates/layout/admin.html.heex
@@ -8,7 +8,7 @@
 <div class="container" style="background-color: white; min-height: 50vh; padding-top: 2rem">
   <%= if @socket.view !== DotcomWeb.Live.Admin do %>
     <%= link([fa("arrow-left", class: "fa-fw"), "Back to admin panel"],
-      to: Helpers.live_path(@socket, DotcomWeb.Live.Admin),
+      to: live_path(@socket, DotcomWeb.Live.Admin),
       class: "btn btn-secondary btn-sm"
     ) %>
     <hr />

diff --git a/lib/dotcom_web/templates/layout/root.html.eex b/lib/dotcom_web/templates/layout/root.html.eex