File Input Render Issue

[elipe17]

Summary of Changes

• Updated Nginx CSP to allow unsafe-inline

How to Test

cd tdrs-frontend && docker-compose up
cd tdrs-backend && docker-compose up

1. Log in as a user with data submission privileges
2. Upload a file that is empty or has an incorrect extension
3. Verify error message is shown, icon for file renders, and file cannot be submitted.

Deliverables

More details on how deliverables herein are assessed included here.

Deliverable 1: Accepted Features

Checklist of ACs:

• incorrect file types have error message and file image
• lfrohlich and/or adpennington confirmed that ACs are met.

Deliverable 2: Tested Code

• Are all areas of code introduced in this PR meaningfully tested?
  • If this PR introduces backend code changes, are they meaningfully tested?
  • If this PR introduces frontend code changes, are they meaningfully tested?
• Are code coverage minimums met?
  • Frontend coverage: [insert coverage %] (see CodeCov Report comment in PR)
  • Backend coverage: [insert coverage %] (see CodeCov Report comment in PR)

Deliverable 3: Properly Styled Code

• Are backend code style checks passing on CircleCI?
• Are frontend code style checks passing on CircleCI?
• Are code maintainability principles being followed?

Deliverable 4: Accessible

• Does this PR complete the epic?
• Are links included to any other gov-approved PRs associated with epic?
• Does PR include documentation for Raft's a11y review?
• Did automated and manual testing with iamjolly and ttran-hub using Accessibility Insights reveal any errors introduced in this PR?

Deliverable 5: Deployed

• Was the code successfully deployed via automated CircleCI process to development on Cloud.gov?

Deliverable 6: Documented

• Does this PR provide background for why coding decisions were made?
• If this PR introduces backend code, is that code easy to understand and sufficiently documented, both inline and overall?
• If this PR introduces frontend code, is that code easy to understand and sufficiently documented, both inline and overall?
• If this PR introduces dependencies, are their licenses documented?
• Can reviewer explain and take ownership of these elements presented in this code review?

Deliverable 7: Secure

• Does the OWASP Scan pass on CircleCI?
• Do manual code review and manual testing detect any new security issues?
• If new issues detected, is investigation and/or remediation plan documented?

Deliverable 8: User Research

Research product(s) clearly articulate(s):

• the purpose of the research
• methods used to conduct the research
• who participated in the research
• what was tested and how
• impact of research on TDP
• (if applicable) final design mockups produced for TDP development

[codecov]

Codecov Report

Merging #2725 (9f9a8ee) into develop (8ec31f9) will decrease coverage by 0.58%.
Report is 52 commits behind head on develop.
The diff coverage is 91.53%.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #2725      +/-   ##
===========================================
- Coverage    92.99%   92.41%   -0.58%     
===========================================
  Files          219      239      +20     
  Lines         4482     5340     +858     
  Branches       385      473      +88     
===========================================
+ Hits          4168     4935     +767     
- Misses         242      312      +70     
- Partials        72       93      +21     

Flag	Coverage Δ
dev-backend	92.29% <92.06%> (-0.55%)	⬇️
dev-frontend	92.95% <78.26%> (-0.65%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
tdrs-backend/tdpservice/core/logger.py	100.00% <100.00%> (ø)
tdrs-backend/tdpservice/data_files/serializers.py	100.00% <100.00%> (ø)
...rs-backend/tdpservice/data_files/test/factories.py	100.00% <100.00%> (ø)
tdrs-backend/tdpservice/data_files/validators.py	96.15% <ø> (ø)
tdrs-backend/tdpservice/data_files/views.py	90.65% <100.00%> (+0.08%)	⬆️
tdrs-backend/tdpservice/email/email.py	76.78% <100.00%> (-1.55%)	⬇️
...vice/email/helpers/account_deactivation_warning.py	100.00% <100.00%> (ø)
...backend/tdpservice/email/helpers/account_status.py	84.84% <100.00%> (ø)
tdrs-backend/tdpservice/email/helpers/data_file.py	100.00% <100.00%> (ø)
tdrs-backend/tdpservice/parsers/admin.py	100.00% <100.00%> (ø)
... and 53 more

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 96452dc...9f9a8ee. Read the comment docs.

[andrew-jameson]

@elipe17 Could you run OWASP locally against your branch to verify this doesn't trigger some new alert? I believe we had unsafe-inline in place at some previous time.

[raftmsohani]

@elipe17 Could you run OWASP locally against your branch to verify this doesn't trigger some new alert? I believe we had unsafe-inline in place at some previous time.

If owasp scan complains then we can add conditional inline-safe header based on request

[elipe17]

@elipe17 Could you run OWASP locally against your branch to verify this doesn't trigger some new alert? I believe we had unsafe-inline in place at some previous time.

@andrew-jameson The scan is passing locally for me with three warnings.

[raftmsohani]

LGTM!

[reitermb]

Looking great! Confirming that the icon rendering issue is corrected, automated a11y scans are still clean, and screenreader behavior is still working as it should!

cc @ADPennington @ttran-hub

[ADPennington]

🚀