fix: security headers

[rongquan1]

Summary by CodeRabbit

• Chores

  • Updated integration test scripts so Chrome (including headless) runs with relaxed local network access checks during test runs.

• Security

  • Replaced the single Content-Security-Policy entry with a comprehensive set of security response headers (CSP, Permissions-Policy, CORP/COOP, etc.) while preserving embedding-friendly behavior.

[coderabbitai]

Walkthrough

Updated two npm integration test scripts to add a Chrome feature flag and replaced a single Content-Security-Policy line in netlify.toml with a broader set of security and embedding-related headers.

Changes

Cohort / File(s)	Summary
Test scripts package.json	Modified integration and integration:headless scripts to run TestCafe with quoted Chrome launchers including --disable-features=LocalNetworkAccessChecks (e.g., testcafe 'chrome --disable-features=LocalNetworkAccessChecks' ...). No other script logic changed.
Netlify headers / deployment config netlify.toml	Replaced a single Content-Security-Policy entry with a multi-header block (embedding-friendly CSP plus Permissions-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Opener-Policy, Referrer-Policy, X-Frame-Options, and related headers); added comments about embedding/iframe behavior.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Dev (npm)
  participant TC as TestCafe
  participant Chrome as Chrome (launched)
  participant App as example:application
  participant Netlify as Netlify (headers)

  rect "#e6f7ec"
    Dev->>TC: run `npm run integration` / `integration:headless`
    Note right of TC: invoked with\n'chrome[ :headless] --disable-features=LocalNetworkAccessChecks'
    TC->>Chrome: launch Chrome with flag
    Chrome->>App: request app URL (App started via npm)
    App->>Chrome: respond with app content
  end

  rect "#eef3ff"
    Note over Netlify: Deployment headers updated (CSP, Permissions-Policy, CORP/COOP, etc.)
    Chrome->>Netlify: fetch resources
    Netlify->>Chrome: responds with expanded security headers
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify header values in netlify.toml match intended embedding behavior.
• Confirm quoted Chrome flag syntax works in CI shells and with the TestCafe version used.

Possibly related PRs

• fix: security headers #160 — also modifies netlify.toml security/CSP and is closely related to these header changes.

Suggested reviewers

• Moiz47

Poem

🐰 I hopped through flags and headers bright,
Launched Chrome for tests at morning light.
Frames now welcome, policies aligned,
Tests run steady, builds feel kind. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: security headers' accurately describes the main change: updating security configurations in netlify.toml and testcafe scripts to improve security headers and flags.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/security-headers

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 95faee6 and 48faae2.

📒 Files selected for processing (1)

• netlify.toml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• netlify.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Redirect rules - generic-templates
• GitHub Check: Header rules - generic-templates
• GitHub Check: Pages changed - generic-templates
• GitHub Check: Lint & Test

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a978ea8 and 10dce64.

📒 Files selected for processing (1)

• netlify.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Lint & Test

🔇 Additional comments (1)

netlify.toml (1)

4-5: Verify that frame-ancestors * is appropriate for your use case.

The policy allows embedding from any origin, which aligns with the design goal of supporting template embedding. However, this is a significant security consideration and should be explicitly approved.

If possible, consider restricting frame-ancestors to trusted origins (e.g., frame-ancestors 'self' https://trusted-domain.com) rather than allowing all origins. If * is necessary, ensure this decision is documented and approved.

Also applies to: 8-8

[netlify]

✅ Deploy Preview for generic-templates ready!

Name	Link
🔨 Latest commit	48faae2
🔍 Latest deploy log	https://app.netlify.com/projects/generic-templates/deploys/6909a043a2bc78000809e0ee
😎 Deploy Preview	https://deploy-preview-161--generic-templates.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cad4a8e and f0bc657.

📒 Files selected for processing (1)

• netlify.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Redirect rules - generic-templates
• GitHub Check: Header rules - generic-templates
• GitHub Check: Pages changed - generic-templates
• GitHub Check: Lint & Test

🔇 Additional comments (2)

netlify.toml (2)

18-21: ✅ Standard security headers look good.

Lines 19-21 follow security best practices:

• X-Content-Type-Options: nosniff prevents MIME-type sniffing attacks.
• Strict-Transport-Security with 1-year max-age and includeSubDomains enforces HTTPS.
• Referrer-Policy: strict-origin-when-cross-origin balances privacy and functionality appropriately.

These headers are well-suited for a template embedding service.

---

13-16: Embedding functionality will NOT be broken by COOP "same-origin".

The review comment conflates two distinct HTTP header mechanisms:

1. Embedding capability (iframe loading): Controlled by CSP frame-ancestors * on line 7, which explicitly allows embedding from any origin. This header remains effective and unrestricted.

2. Browsing context isolation (cross-origin access): Controlled by COOP same-origin on line 15, which prevents cross-origin window.opener/parent access.

The codebase does NOT rely on cross-origin opener access—all external links explicitly use rel="noopener noreferrer" to prevent it. Therefore, COOP same-origin is a security-hardening measure, not a breaking change.

The policy is intentional and consistent: the site allows iframing from any origin (CSP) while maintaining cross-origin isolation (COOP). No verification of embedding compatibility is needed.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

netlify.toml (1)

7-8: ⚠️ CSP still contains 'unsafe-inline' and 'unsafe-eval'—unresolved from previous reviews.

This is a duplicate of critical security concerns flagged in earlier reviews (commits cad4a8e and d2300b6). The CSP on line 8 still includes:

• 'unsafe-inline' in script-src and style-src
• 'unsafe-eval' globally

These directives significantly weaken XSS protection and should be removed entirely. The previous review commits claim resolution, but the issue persists. Before merging, you must either:

1. Remove the unsafe directives and use cryptographic nonces (generated per HTTP response) or SHA-256 hashes for any legitimate inline scripts/styles, or
2. Explicitly document why these directives are necessary for template embedding and accept the security trade-off with team/security sign-off.

Audit the codebase and dependencies to confirm nothing actually relies on eval() or inline script execution before removal.

Do you want me to generate a verification script to confirm whether eval patterns or inline script dependencies actually exist in the codebase?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b48051 and 95faee6.

📒 Files selected for processing (1)

• netlify.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Lint & Test

🔇 Additional comments (1)

netlify.toml (1)

10-11: Good: Permissions-Policy, CORP, and additional security headers provide defense-in-depth.

The Permissions-Policy is well-configured with restrictive defaults. CORP is set to same-origin, COOP is now same-origin (an improvement from the previous unsafe-none), and headers like STS, Referrer-Policy, and X-Content-Type-Options add meaningful layers of protection.

However, these improvements are undermined if the CSP unsafe directives and overly-broad frame-ancestors are not addressed.

Also applies to: 13-21