Use the full (relative) view path for CSP exclusion (#3916)

GitOrigin-RevId: f6828a447abcc550f0c7dfd0fc6fc72f4b5b1f7e

services/web/app/src/infrastructure/CSP.js

@@ -1,4 +1,5 @@
 const crypto = require('crypto')
+const path = require('path')
 
 module.exports = function ({
   reportUri,
@@ -10,8 +11,7 @@ module.exports = function ({
     const originalRender = res.render
 
     res.render = (...args) => {
-      // use the view path after removing any prefix up to a "views" folder
-      const view = args[0].split('/views/').pop()
+      const view = relativeViewPath(args[0])
 
       // enable the CSP header for a percentage of requests
       const belowCutoff = Math.random() * 100 <= percentage
@@ -51,3 +51,12 @@ module.exports = function ({
     next()
   }
 }
+
+const webRoot = path.resolve(__dirname, '..', '..', '..')
+
+// build the view path relative to the web root
+function relativeViewPath(view) {
+  return path.isAbsolute(view)
+    ? path.relative(webRoot, view)
+    : path.join('app', 'views', view)
+}

services/web/config/settings.defaults.coffee

@@ -735,5 +735,8 @@ module.exports = settings =
 		enabled: process.env.CSP_ENABLED == 'true'
 		reportOnly: process.env.CSP_REPORT_ONLY == 'true'
 		reportUri: process.env.CSP_REPORT_URI
-		exclude: ['project/editor', 'project/list']
+		exclude: [
+			'app/views/project/editor',
+			'app/views/project/list',
+		]
 	}