ci/console: restore CSP header injection in Vercel deploys#37084
Open
jasonhernandez wants to merge 1 commit into
Open
ci/console: restore CSP header injection in Vercel deploys#37084jasonhernandez wants to merge 1 commit into
jasonhernandez wants to merge 1 commit into
Conversation
The Content-Security-Policy header is not committed in console/vercel.json; it is injected at build time by console/bin/apply-vercel-csp.js, which must run before `vercel build`. In the original console repo, both the production and preview deploys went through bin/build-ci, which ran apply-vercel-csp.js before building. When the console was ported into this repo (MaterializeInc#35032), the deploy logic was reimplemented as Buildkite scripts that call `vercel build` directly and dropped the apply-vercel-csp.js step. As a result, the production, preview, and impersonation deploys ship with no CSP header at all (confirmed: a HEAD request to console.materialize.com returns no content-security-policy). Only the throwaway e2e test deploy (e2e-prod.sh) still applies it. Restore the injection step before `vercel build` in all three real deploy scripts. The policy itself (console/contentSecurityPolicy.js) is unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
our e2e tests have continued running against this content security policy, so I think our risk in re-enabling it is low! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The console's
Content-Security-Policyheader is not committed inconsole/vercel.json— it's injected at build time byconsole/bin/apply-vercel-csp.js, which must run beforevercel build.In the original
MaterializeInc/consolerepo, both the production (deploy-prod.yml) and preview (deploy-preview.yml) deploys went throughbin/build-ci, which ranapply-vercel-csp.jsbefore building.When the console was ported into this repo (#35032), the deploy logic was reimplemented as Buildkite scripts that call
vercel builddirectly and dropped theapply-vercel-csp.jsstep.console/bin/build-ciwas carried over intact but is no longer invoked by anything.As a result, the real console deploys ship with no CSP header at all:
console.materialize.com)ci/deploy/console.shinternal.console.materialize.com)ci/deploy/console-impersonation.shci/test/console/vercel-preview.shci/test/console/e2e-prod.shConfirmed live —
curl -sI https://console.materialize.comreturnsx-frame-optionsandreferrer-policybut nocontent-security-policy.Fix
Run
bin/apply-vercel-csp.js --sentry-release="$SENTRY_RELEASE"beforevercel buildin all three real deploy scripts, matching the originalbin/build-cibehavior. All three already exportSENTRY_RELEASE.The policy itself (
console/contentSecurityPolicy.js) is unchanged.Verification
After this lands and deploys,
curl -sI https://console.materialize.com | grep -i content-securityshould return the CSP header.🤖 Generated with Claude Code