fix: add Segment CDN domains to CSP for LFX Segments Analytics

[ahmedomosanya]

• Add https://cdn.segment.com to connect-src and script-src
• Resolves CSP violation errors when loading analytics configurations
• Enables proper initialization of LFX Segments Analytics library
• Maintains security while allowing necessary analytics functionality

Fixes CSP error: 'Refused to connect to https://cdn.segment.com/v1/projects/.../settings'

Addresses: linuxfoundation/easycla#4790
Signed-off-by: ahmedomosanya aopeyemi@contractor.linuxfoundation.org

Summary by CodeRabbit

• Chores
  • Expanded Content Security Policy to include Segment’s CDN for both script and connection sources, aligning with existing analytics endpoints.
  • Reduces potential resource blocking and improves reliability of analytics loading.
  • No changes to runtime behavior or user-facing functionality beyond allowing these resources.

[coderabbitai]

Walkthrough

Updated Content Security Policy in edge/security-headers.js to include https://cdn.segment.com in connect-src and script-src directives. No other logic or exports changed.

Changes

Cohort / File(s)	Summary of Changes
CSP updates for Segment CDN edge/security-headers.js	Added https://cdn.segment.com to connect-src and script-src alongside existing Segment dev/prod sources. No other CSP directives or runtime logic modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I twitch my whiskers, scan the sky,
New CSP stars now gleam up high—
Segment’s CDN joins the run,
connect and script both hop as one.
Paw-prints signed, headers neat,
Safely nibbling bytes so sweet. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "fix: add Segment CDN domains to CSP for LFX Segments Analytics" clearly and concisely summarizes the primary change—adding the Segment CDN to CSP so LFX Segments Analytics can initialize—and uses a conventional commit prefix to indicate a bugfix. It directly reflects the changes to CSP sources in edge/security-headers.js described in the PR and is specific enough for history scanning. The phraseing is relevant and not misleading.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch issue-#4790-segement-script

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d5b09f and 732b709.

📒 Files selected for processing (1)

• edge/security-headers.js (2 hunks)

🔇 Additional comments (2)

edge/security-headers.js (2)

69-71: CSP script-src: Correct to allow cdn.segment.com for Segment loader

This should permit loading analytics.js and related assets from Segment’s CDN.

Please validate in a staging environment that:

• The original CSP violation is resolved (settings fetch no longer blocked).
• No new CSP errors appear for analytics payloads (e.g., posts to api.segment.io or lfx-segment endpoints).

---

54-56: CSP connect-src: confirm if direct egress to api.segment.io is intended

Repo loads the LFX Segments client (src/app/shared/services/lfx-analytics.service.ts — script.src = environment.lfxSegmentAnalyticsUrl; see src/environments/). edge/security-headers.js currently allows https://api.segment.io and https://cdn.segment.com but I found no other repo references to api.segment.io. The external lfx-segment script may still POST to Segment — inspect that script/config or confirm with infra/compliance; if all telemetry must be proxied via lfx-segment., remove https://api.segment.io from connect-src.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR fixes Content Security Policy (CSP) violations by adding the Segment CDN domain to the allowlist for analytics functionality. The change enables proper initialization of LFX Segments Analytics library by allowing connections to and script loading from the Segment CDN.

Key Changes

• Added https://cdn.segment.com to both connect-src and script-src CSP directives
• Maintained security while enabling necessary analytics functionality

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[lukaszgryglicki]

/lgtm