[ES-2916] fixed ui rendering and biometric login issue caused by csp header

[sacrana0]

Summary by CodeRabbit

• Chores
  • Updated Content Security Policy to allow inline styles, data-URI images, and additional external script, frame, and connection sources, enabling broader use of external resources and integrations while preserving other security directives.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 934cb653-98e9-447b-8785-ff5df894eb90

📥 Commits

Reviewing files that changed from the base of the PR and between 3179387 and 487b042.

📒 Files selected for processing (2)

• helm/oidc-ui/templates/configmap.yaml
• oidc-ui/nginx/nginx.conf

🚧 Files skipped from review as they are similar to previous changes (2)

• oidc-ui/nginx/nginx.conf
• helm/oidc-ui/templates/configmap.yaml

---

Walkthrough

Updated the Content-Security-Policy delivered via nginx/configmap: added 'unsafe-inline' to style-src; expanded img-src to include data: and mosip.net origins; and introduced script-src, frame-src, and connect-src directives (including localhost-style endpoints).

Changes

Cohort / File(s)	Summary
CSP / nginx config helm/oidc-ui/templates/configmap.yaml, oidc-ui/nginx/nginx.conf	Modified Content-Security-Policy: added 'unsafe-inline' to style-src; extended img-src to include data: and *.mosip.net origins; added script-src, frame-src, and connect-src directives (includes localhost-like patterns and specified origins).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through headers, bright and spry,
I nudged a rule, then gave a sigh.
Images, scripts, and frames now play—
A gentler fence to guide the way. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: fixing UI rendering and biometric login issues caused by CSP header modifications. It directly relates to the changeset which updates Content-Security-Policy directives in nginx configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

oidc-ui/nginx/nginx.conf (1)

83-83: Treat style-src 'unsafe-inline' as temporary and plan nonce/hash migration.

Line 83 weakens CSP policy globally. If this is needed to unblock rendering now, please track follow-up hardening to nonce/hash inline styles and remove 'unsafe-inline'.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@oidc-ui/nginx/nginx.conf` at line 83, The CSP directive currently permits
inline styles via the entry "style-src 'self' https://fonts.googleapis.com
'unsafe-inline'" which weakens the policy; update the nginx.conf to treat this
as a temporary allowance by adding a clear TODO comment next to that "style-src
'self' https://fonts.googleapis.com 'unsafe-inline'" entry, create a tracking
ticket to replace 'unsafe-inline' with nonces or hashes, and prepare code
changes to migrate inline styles to use per-response nonces (or computed style
hashes) so you can remove 'unsafe-inline' from the "style-src" directive once
migration is complete.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@oidc-ui/nginx/nginx.conf`:
- Line 88: The connect-src CSP directive currently allows any loopback port via
the entry "http://127.0.0.1:*"; update the nginx.conf connect-src directive to
restrict loopback to the SBI port range by replacing "http://127.0.0.1:*" with
"http://127.0.0.1:4501-4600" (or a reasonable upper bound if ports are dynamic)
so the connect-src rule only permits the expected SBI ports; locate the
connect-src directive in nginx.conf to make this change.

---

Nitpick comments:
In `@oidc-ui/nginx/nginx.conf`:
- Line 83: The CSP directive currently permits inline styles via the entry
"style-src 'self' https://fonts.googleapis.com 'unsafe-inline'" which weakens
the policy; update the nginx.conf to treat this as a temporary allowance by
adding a clear TODO comment next to that "style-src 'self'
https://fonts.googleapis.com 'unsafe-inline'" entry, create a tracking ticket to
replace 'unsafe-inline' with nonces or hashes, and prepare code changes to
migrate inline styles to use per-response nonces (or computed style hashes) so
you can remove 'unsafe-inline' from the "style-src" directive once migration is
complete.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 96a69bd4-2c11-4e7c-91f8-46b702e76726

📥 Commits

Reviewing files that changed from the base of the PR and between 2fa9c2c and 3179387.

📒 Files selected for processing (2)

• helm/oidc-ui/templates/configmap.yaml
• oidc-ui/nginx/nginx.conf