From 921f7bf9198334f49cf3cbb1dfe14ac455b515b7 Mon Sep 17 00:00:00 2001
From: Rajesh Paul <rajesh.paul@progress.com>
Date: Thu, 17 Mar 2022 17:02:56 +0530
Subject: [PATCH 1/6] updated content security policy to allow script and style
 from google analytics scripts

Signed-off-by: Rajesh Paul <rajesh.paul@progress.com>
---
 .../config/initializers/content_security_policy.rb           | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/supermarket/config/initializers/content_security_policy.rb b/src/supermarket/config/initializers/content_security_policy.rb
index 20098611e..a47e1f0dc 100644
--- a/src/supermarket/config/initializers/content_security_policy.rb
+++ b/src/supermarket/config/initializers/content_security_policy.rb
@@ -9,8 +9,9 @@
   policy.font_src    :self, :https, :data
   policy.img_src     :self, :https, :data
   policy.object_src  :none
-  policy.script_src  :self, :https, "https://www.googletagmanager.com", "https://www.google-analytics.com"
-  policy.style_src   :self, :https, :unsafe_inline
+  policy.script_src  :self, :https, :unsafe_inline, "https://www.googletagmanager.com", "https://www.google-analytics.com"
+  policy.script_src_elem  :self, :unsafe_inline, "http://www.google-analytics.com", "http://cdn.segment.com"
+  policy.style_src   :self, :https, :unsafe_inline, "http://fonts.googleapis.com"
 
   # Specify URI for violation reports
   # policy.report_uri "/csp-violation-report-endpoint"

From 58bd17de58fabb596afb657d83737b108f0638f0 Mon Sep 17 00:00:00 2001
From: Rajesh Paul <rajesh.paul@progress.com>
Date: Thu, 17 Mar 2022 17:25:39 +0530
Subject: [PATCH 2/6] fix linter errors

Signed-off-by: Rajesh Paul <rajesh.paul@progress.com>
---
 .../config/initializers/content_security_policy.rb   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/supermarket/config/initializers/content_security_policy.rb b/src/supermarket/config/initializers/content_security_policy.rb
index a47e1f0dc..617fc8fe2 100644
--- a/src/supermarket/config/initializers/content_security_policy.rb
+++ b/src/supermarket/config/initializers/content_security_policy.rb
@@ -6,12 +6,12 @@
 
 Rails.application.config.content_security_policy do |policy|
   policy.default_src :self, :https
-  policy.font_src    :self, :https, :data
-  policy.img_src     :self, :https, :data
-  policy.object_src  :none
-  policy.script_src  :self, :https, :unsafe_inline, "https://www.googletagmanager.com", "https://www.google-analytics.com"
-  policy.script_src_elem  :self, :unsafe_inline, "http://www.google-analytics.com", "http://cdn.segment.com"
-  policy.style_src   :self, :https, :unsafe_inline, "http://fonts.googleapis.com"
+  policy.font_src :self, :https, :data
+  policy.img_src :self, :https, :data
+  policy.object_src :none
+  policy.script_src :self, :https, :unsafe_inline, "https://www.googletagmanager.com", "https://www.google-analytics.com"
+  policy.script_src_elem :self, :unsafe_inline, "http://www.google-analytics.com", "http://cdn.segment.com"
+  policy.style_src :self, :https, :unsafe_inline, "http://fonts.googleapis.com"
 
   # Specify URI for violation reports
   # policy.report_uri "/csp-violation-report-endpoint"

From ec1e364524047679ae9da5b94fb5907a35129651 Mon Sep 17 00:00:00 2001
From: Rajesh Paul <rajesh.paul@progress.com>
Date: Mon, 21 Mar 2022 15:11:20 +0530
Subject: [PATCH 3/6] changed google analytics code snippet to enable tracking

Signed-off-by: Rajesh Paul <rajesh.paul@progress.com>
---
 .../app/views/application/_analytics.html.erb      | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/src/supermarket/app/views/application/_analytics.html.erb b/src/supermarket/app/views/application/_analytics.html.erb
index 426137927..c21f7cfbd 100644
--- a/src/supermarket/app/views/application/_analytics.html.erb
+++ b/src/supermarket/app/views/application/_analytics.html.erb
@@ -8,15 +8,13 @@
 <% end %>
 
 <% if ENV['GOOGLE_ANALYTICS_ID'] %>
+  <!-- Global site tag (gtag.js) - Google Analytics -->
+  <script async src="https://www.googletagmanager.com/gtag/js?id=<%= ENV['GOOGLE_ANALYTICS_ID'] >"></script>
   <script>
-    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
-     (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
-     m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
-     })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
+    window.dataLayer = window.dataLayer || [];
+    function gtag(){window.dataLayer.push(arguments);}
+    gtag('js', new Date());
 
-    ga('create', '<%= ENV["GOOGLE_ANALYTICS_ID"] %>', 'auto');
-    ga('require', 'linkid', 'linkid.js');
-    ga('require', 'displayfeatures');
-    ga('send', 'pageview');
+    gtag('config', '<%= ENV['GOOGLE_ANALYTICS_ID'] >');
   </script>
 <% end %>

From dc9374438723e73418da6c25d5a64b7c4b26d8c7 Mon Sep 17 00:00:00 2001
From: Rajesh Paul <rajesh.paul@progress.com>
Date: Mon, 21 Mar 2022 16:01:58 +0530
Subject: [PATCH 4/6] corrected erb tag closing

Signed-off-by: Rajesh Paul <rajesh.paul@progress.com>
---
 src/supermarket/app/views/application/_analytics.html.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/supermarket/app/views/application/_analytics.html.erb b/src/supermarket/app/views/application/_analytics.html.erb
index c21f7cfbd..75d35d323 100644
--- a/src/supermarket/app/views/application/_analytics.html.erb
+++ b/src/supermarket/app/views/application/_analytics.html.erb
@@ -9,12 +9,12 @@
 
 <% if ENV['GOOGLE_ANALYTICS_ID'] %>
   <!-- Global site tag (gtag.js) - Google Analytics -->
-  <script async src="https://www.googletagmanager.com/gtag/js?id=<%= ENV['GOOGLE_ANALYTICS_ID'] >"></script>
+  <script async src="https://www.googletagmanager.com/gtag/js?id=<%= ENV['GOOGLE_ANALYTICS_ID'] %>"></script>
   <script>
     window.dataLayer = window.dataLayer || [];
     function gtag(){window.dataLayer.push(arguments);}
     gtag('js', new Date());
 
-    gtag('config', '<%= ENV['GOOGLE_ANALYTICS_ID'] >');
+    gtag('config', '<%= ENV['GOOGLE_ANALYTICS_ID'] %>');
   </script>
 <% end %>

From e05afdf8e30e6f94ff6f208135a89a9fec0d62cd Mon Sep 17 00:00:00 2001
From: Rajesh Paul <rajesh.paul@progress.com>
Date: Tue, 29 Mar 2022 23:20:21 +0530
Subject: [PATCH 5/6] Removed :unsafe_inline from CSP and added nonce in CSP
 for allowing inline scripts

Signed-off-by: Rajesh Paul <rajesh.paul@progress.com>
---
 .../app/views/application/_analytics.html.erb     |  6 +++---
 .../initializers/content_security_policy.rb       | 15 ++++++++++-----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/supermarket/app/views/application/_analytics.html.erb b/src/supermarket/app/views/application/_analytics.html.erb
index 75d35d323..e37bec842 100644
--- a/src/supermarket/app/views/application/_analytics.html.erb
+++ b/src/supermarket/app/views/application/_analytics.html.erb
@@ -10,11 +10,11 @@
 <% if ENV['GOOGLE_ANALYTICS_ID'] %>
   <!-- Global site tag (gtag.js) - Google Analytics -->
   <script async src="https://www.googletagmanager.com/gtag/js?id=<%= ENV['GOOGLE_ANALYTICS_ID'] %>"></script>
-  <script>
+  <%= javascript_tag nonce: content_security_policy_nonce do %>
     window.dataLayer = window.dataLayer || [];
     function gtag(){window.dataLayer.push(arguments);}
     gtag('js', new Date());
 
     gtag('config', '<%= ENV['GOOGLE_ANALYTICS_ID'] %>');
-  </script>
-<% end %>
+  <% end %>
+<% end %>
\ No newline at end of file
diff --git a/src/supermarket/config/initializers/content_security_policy.rb b/src/supermarket/config/initializers/content_security_policy.rb
index 617fc8fe2..9352bda1f 100644
--- a/src/supermarket/config/initializers/content_security_policy.rb
+++ b/src/supermarket/config/initializers/content_security_policy.rb
@@ -9,18 +9,23 @@
   policy.font_src :self, :https, :data
   policy.img_src :self, :https, :data
   policy.object_src :none
-  policy.script_src :self, :https, :unsafe_inline, "https://www.googletagmanager.com", "https://www.google-analytics.com"
-  policy.script_src_elem :self, :unsafe_inline, "http://www.google-analytics.com", "http://cdn.segment.com"
-  policy.style_src :self, :https, :unsafe_inline, "http://fonts.googleapis.com"
+  policy.script_src :self, :https, "https://www.googletagmanager.com", "https://www.google-analytics.com"
+  policy.script_src_elem :self, "http://www.google-analytics.com", "http://cdn.segment.com"
+  # Need to keep the unsafe_inline for style-src directive as
+  # there is an inline css embedded in the application.js file.
+  # Without unsafe_inline it will block the style tag.
+  # Style tags are not considered that much unsafe as externally injected script through xss attack.
+  policy.style_src :self, :unsafe_inline, :https, "http://fonts.googleapis.com"
 
   # Specify URI for violation reports
   # policy.report_uri "/csp-violation-report-endpoint"
 end
 
 # If you are using UJS then enable automatic nonce generation
-# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
+Rails.application.config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }
+Rails.application.config.content_security_policy_nonce_directives = %w{ script-src }
 
 # Report CSP violations to a specified URI
 # For further information see the following documentation:
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-# Rails.application.config.content_security_policy_report_only = true
+# Rails.application.config.content_security_policy_report_only = true
\ No newline at end of file

From 058fccde72edf11d05764fa5fd7313f7f5ac87ca Mon Sep 17 00:00:00 2001
From: Rajesh Paul <rajesh.paul@progress.com>
Date: Wed, 30 Mar 2022 00:52:59 +0530
Subject: [PATCH 6/6] allow inline script for segment

Signed-off-by: Rajesh Paul <rajesh.paul@progress.com>
---
 src/supermarket/app/views/application/_analytics.html.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/supermarket/app/views/application/_analytics.html.erb b/src/supermarket/app/views/application/_analytics.html.erb
index e37bec842..5fae2dc63 100644
--- a/src/supermarket/app/views/application/_analytics.html.erb
+++ b/src/supermarket/app/views/application/_analytics.html.erb
@@ -1,10 +1,10 @@
 <% if ENV['SEGMENT_WRITE_KEY'] %>
-  <script>
+  <%= javascript_tag nonce: content_security_policy_nonce do %>
     !function(){var analytics=window.analytics=window.analytics||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","once","off","on"];analytics.factory=function(t){return function(){var e=Array.prototype.slice.call(arguments);e.unshift(t);analytics.push(e);return analytics}};for(var t=0;t<analytics.methods.length;t++){var e=analytics.methods[t];analytics[e]=analytics.factory(e)}analytics.load=function(t){var e=document.createElement("script");e.type="text/javascript";e.async=!0;e.src=("https:"===document.location.protocol?"https://":"http://")+"cdn.segment.com/analytics.js/v1/"+t+"/analytics.min.js";var n=document.getElementsByTagName("script")[0];n.parentNode.insertBefore(e,n)};analytics.SNIPPET_VERSION="4.0.0";
     analytics.load("<%= ENV["SEGMENT_WRITE_KEY"] %>");
     analytics.page();
     }}();
-  </script>
+  <% end %>
 <% end %>
 
 <% if ENV['GOOGLE_ANALYTICS_ID'] %>