Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Self-host select2 and remove it from CSP exceptions #2826

Open
6 tasks
vickyszuchin opened this issue Sep 19, 2024 · 4 comments · May be fixed by #3093
Open
6 tasks

Self-host select2 and remove it from CSP exceptions #2826

vickyszuchin opened this issue Sep 19, 2024 · 4 comments · May be fixed by #3093
Assignees
@Matt-Spence
Labels
dev refactor

Comments

@vickyszuchin
Copy link

vickyszuchin commented Sep 19, 2024
edited by abroddrick
Loading

Issue description

In #2649, we added an small external dependency. @Matt-Spence raised a concern about this in a comment, and I agree that if we want to use select2, we should in-source it and self-host.

A recent WH memo also requires us to avoid this:

Avoid unnecessary third-party resources: Agencies must not embed static, unchanging web assets, such as a specific version of a common and widely used code library (e.g., JavaScript, CSS, fonts) that are hosted on third-party services not under the control of the agency. Embedding static third-party assets is an outdated practice that no longer confers significant performance benefits, and it creates unnecessary security risks. This restriction only applies to static (unchanging) third-party assets and does not bar the practice of embedding dynamic third-party resources that are necessary for digital service delivery (e.g., analytics services).

I think our use of Andi on ssa.gov is justifiable, but let's remove the CSP cutout for select2.

Acceptance criteria

  • Re-confirm the need for select2 at all and look at alternatives to self-hosting it
    • Alysia: "Self hosting is honestly the only easy resolution I can think of off the top of my head without googling for known alternatives. So no counterargument here. I do think I would still recommend the dev that implements this spend at least a few mins at least an hour trying to look for alternative solutions."
  • Confirm the license for select2 aligns with ours
  • In-source select2
  • Remove select2 from our CSP exceptions
  • stay within a 2 day timebox
  • Add a (very small) ADR summarizing what we're doing and why. See the Slack thread for add'l content.

Additional context

Slack thread

Links to other issues

No response
@vickyszuchin vickyszuchin changed the title Research: identify CSP cutout and this external dependency and propose workarounds Research: Identify CSP cutout and external dependency and propose workarounds Sep 19, 2024
@vickyszuchin vickyszuchin changed the title Research: Identify CSP cutout and external dependency and propose workarounds Research: Identify third-party resources and propose workarounds Sep 19, 2024
@vickyszuchin vickyszuchin moved this from 👶 New to 🍦 Backlog in .gov Product Board Sep 19, 2024
@vickyszuchin
Copy link
Author

@abroddrick a reminder to refine this ticket. You can remove the "refinement" label afterwards.

@h-m-f-t h-m-f-t assigned h-m-f-t and unassigned abroddrick Sep 23, 2024
@h-m-f-t
Copy link
Member

h-m-f-t commented Sep 23, 2024

Cameron to refine

@abroddrick
Copy link
Contributor

abroddrick commented Sep 24, 2024
edited
Loading

@h-m-f-t I added updated this to mention that there should be a timebox of 2 days and updated my previous comment to not specifically call out a few mins of research. Also, I added in an AC that the person make a dev ticket with the proposed solution. No objections to this one as is.

@h-m-f-t h-m-f-t changed the title Research: Identify third-party resources and propose workarounds Self-host select2 and remove it from the CSP exceptions Sep 25, 2024
@h-m-f-t h-m-f-t changed the title Self-host select2 and remove it from the CSP exceptions Self-host select2 and remove it from CSP exceptions Sep 25, 2024
@h-m-f-t
Copy link
Member

h-m-f-t commented Sep 25, 2024
edited
Loading

@abroddrick I've substantially revised and re-titled this issue, moving it from general concern to a specific action. Let me know what you think.

@h-m-f-t h-m-f-t removed their assignment Sep 30, 2024
@abroddrick abroddrick moved this from 🍦 Backlog to 🎯 Ready in .gov Product Board Sep 30, 2024
@h-m-f-t h-m-f-t mentioned this issue Oct 19, 2024
Open
5 tasks
@h-m-f-t h-m-f-t mentioned this issue Oct 28, 2024
Merged
29 tasks
@vickyszuchin vickyszuchin moved this from 🎯 Ready to 🔖 Planned in .gov Product Board Nov 12, 2024
@Matt-Spence Matt-Spence moved this from 🔖 Planned to 🏗 In progress in .gov Product Board Nov 18, 2024
@Matt-Spence Matt-Spence self-assigned this Nov 18, 2024
@Matt-Spence Matt-Spence linked a pull request Nov 18, 2024 that will close this issue
Open
32 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Matt-Spence Matt-Spence

Labels
dev refactor
Projects
.gov Product Board
Status: 🏗 In progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#2826: self host select2 - [MS] cisagov/manage.get.gov
4 participants
@h-m-f-t @Matt-Spence @abroddrick @vickyszuchin