From d65a3e041780e09b8a407d30b028e7af62ad92e5 Mon Sep 17 00:00:00 2001
From: Chris Campbell <chris.c@buildkite.com>
Date: Mon, 24 Apr 2023 10:42:09 +1000
Subject: [PATCH 1/4] Remove `probably_authenticated`

---
 app/controllers/application_controller.rb | 9 ---------
 app/views/application/_head.html.erb      | 2 +-
 app/views/application/_helpscout.html.erb | 6 ++----
 3 files changed, 3 insertions(+), 14 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index eb02d1c0e29..9baf6e68013 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,6 +1,4 @@
 class ApplicationController < ActionController::Base
-  helper_method :probably_authenticated?
-
   def route_not_found
     render file: Rails.root.join("public","404.html"), layout: false, status: 404
   end
@@ -20,11 +18,4 @@ def append_info_to_payload(payload)
     payload[:remote_ip] = request.remote_ip
     payload[:user_agent] = request.user_agent
   end
-
-
-  # When you login to Buildkite, we set this cookie as an indicator for other
-  # services that the user *may* be logged in.
-  def probably_authenticated?
-    request.cookie_jar[:bk_logged_in] == "true"
-  end
 end
diff --git a/app/views/application/_head.html.erb b/app/views/application/_head.html.erb
index a682d1fa8aa..f07eb918f4d 100644
--- a/app/views/application/_head.html.erb
+++ b/app/views/application/_head.html.erb
@@ -35,7 +35,7 @@
 <meta property="og:site_name" content="Buildkite" />
 <meta property="og:locale" content="en_US" />
 
-<%= render 'analytics', application: 'docs', title: "Docs / #{content_for(:page_title)}", logged_in: probably_authenticated? %>
+<%= render 'analytics' %>
 
 <% if ENV.fetch("ROBOTS_NO_INDEX") { "false" } == "true" %>
   <meta name="robots" content="noindex, nofollow">
diff --git a/app/views/application/_helpscout.html.erb b/app/views/application/_helpscout.html.erb
index 2f20cc8b79c..0892fdec16a 100644
--- a/app/views/application/_helpscout.html.erb
+++ b/app/views/application/_helpscout.html.erb
@@ -1,4 +1,2 @@
-<%= javascript_tag nonce: true do -%>
-  !function(e,t,n){function a(){var e=t.getElementsByTagName("script")[0],n=t.createElement("script");n.type="text/javascript",n.async=!0,n.src="https://beacon-v2.helpscout.net",e.parentNode.insertBefore(n,e)}if(e.Beacon=n=function(t,n,a){e.Beacon.readyQueue.push({method:t,options:n,data:a})},n.readyQueue=[],"complete"===t.readyState)return a();e.attachEvent?e.attachEvent("onload",a):e.addEventListener("load",a,!1)}(window,document,window.Beacon||function(){});
-  window.Beacon('init', "<%= ENV.fetch('HELPSCOUT_BEACON_ID', "1d032e87-e8df-4c7f-a423-a6825b9752a2")%>");
-<% end %>
+!function(e,t,n){function a(){var e=t.getElementsByTagName("script")[0],n=t.createElement("script");n.type="text/javascript",n.async=!0,n.src="https://beacon-v2.helpscout.net",e.parentNode.insertBefore(n,e)}if(e.Beacon=n=function(t,n,a){e.Beacon.readyQueue.push({method:t,options:n,data:a})},n.readyQueue=[],"complete"===t.readyState)return a();e.attachEvent?e.attachEvent("onload",a):e.addEventListener("load",a,!1)}(window,document,window.Beacon||function(){});
+window.Beacon('init', "<%= ENV.fetch('HELPSCOUT_BEACON_ID', "1d032e87-e8df-4c7f-a423-a6825b9752a2")%>");

From d81b0d7f81e1542b02399e753f6620b735f76cf9 Mon Sep 17 00:00:00 2001
From: Chris Campbell <chris.c@buildkite.com>
Date: Mon, 24 Apr 2023 12:07:07 +1000
Subject: [PATCH 2/4] Cache for 5 minutes

---
 app/controllers/pages_controller.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb
index fdd6343070d..a624c562e11 100644
--- a/app/controllers/pages_controller.rb
+++ b/app/controllers/pages_controller.rb
@@ -3,12 +3,15 @@ class PagesController < ApplicationController
   layout :layout_by_path
 
   def index
-    @nav = default_nav
+    expires_in 5.minutes, public: true, must_revalidate: true
 
+    @nav = default_nav
     render :index, layout: "homepage"
   end
 
   def show
+    expires_in 5.minutes, public: true, must_revalidate: true
+
     @nav = default_nav
     @page = Page.new(view_context, params[:path])
 
@@ -21,6 +24,7 @@ def show
       redirect_to "/docs/#{@page.canonical_url}", status: :moved_permanently
     end
 
+
     # Otherwise, render the page (the default)
   end
 

From 69224c9f02eafa73cce1a2a107a169b868f2dd39 Mon Sep 17 00:00:00 2001
From: Chris Campbell <chris.c@buildkite.com>
Date: Mon, 24 Apr 2023 12:09:22 +1000
Subject: [PATCH 3/4] Replace script nonce with unsafe-inline

Our CSP is currently in reporting mode so not blocking anything at the
moment meaning this won't change the current behaviour. By removing our
nonce hash we can effectively start caching pages that use inline scripts
since the content won't change between requests.
---
 app/views/application/_algolia.html.erb        | 2 +-
 app/views/application/_analytics.html.erb      | 4 ++--
 app/views/application/_footer.html.erb         | 4 ++--
 app/views/application/_head.html.erb           | 4 +---
 app/views/application/_helpscout.html.erb      | 6 ++++--
 config/initializers/content_security_policy.rb | 4 +---
 6 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/app/views/application/_algolia.html.erb b/app/views/application/_algolia.html.erb
index d34d8492103..9aeb67c8988 100644
--- a/app/views/application/_algolia.html.erb
+++ b/app/views/application/_algolia.html.erb
@@ -1,4 +1,4 @@
-<%= javascript_tag nonce: true do %>
+<%= javascript_tag do %>
   /* This api key is intentionally public */
   docsearch({
     apiKey: '<%= algolia_api_key %>',
diff --git a/app/views/application/_analytics.html.erb b/app/views/application/_analytics.html.erb
index 3fbce81edcf..d720bf607a5 100644
--- a/app/views/application/_analytics.html.erb
+++ b/app/views/application/_analytics.html.erb
@@ -1,5 +1,5 @@
 
-<%= javascript_tag nonce: true do %>
+<%= javascript_tag do %>
 var getFirstSource = function() {
   const firstSourceCookie = '_first_lead_source',
         firstReferrerCookie = '_first_referrer',
@@ -76,7 +76,7 @@ var getFirstSource = function() {
 <% end %>
 
 
-<%= javascript_tag nonce: true do %>
+<%= javascript_tag do %>
    !function(){var analytics=window.analytics=window.analytics||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","once","off","on","addSourceMiddleware","addIntegrationMiddleware","setAnonymousId","addDestinationMiddleware"];analytics.factory=function(e){return function(){var t=Array.prototype.slice.call(arguments);t.unshift(e);analytics.push(t);return analytics}};for(var e=0;e<analytics.methods.length;e++){var key=analytics.methods[e];analytics[key]=analytics.factory(key)}analytics.load=function(key,e){var t=document.createElement("script");t.type="text/javascript";t.async=!0;t.src="https://cdn.segment.com/analytics.js/v1/" + key + "/analytics.min.js";var n=document.getElementsByTagName("script")[0];n.parentNode.insertBefore(t,n);analytics._loadOptions=e};analytics._writeKey="<%= ENV['SEGMENT_TRACKING_ID'] %>";;analytics.SNIPPET_VERSION="4.15.3";
     analytics.load("<%= ENV['SEGMENT_TRACKING_ID'] %>");
     analytics.page({
diff --git a/app/views/application/_footer.html.erb b/app/views/application/_footer.html.erb
index 9185ec0159c..c850c320736 100644
--- a/app/views/application/_footer.html.erb
+++ b/app/views/application/_footer.html.erb
@@ -45,9 +45,9 @@
 <% unless hide_feedback %>
   <% emojicom_campaign_id = Rails.env.production? ? '7O7Rc8JaykqXiCmaqe1C' : 'YeriBgQjRQmOU3br2W1g' %>
   <!-- Start emojicom.io widget -->
-  <%= javascript_tag nonce: true do %>
+  <%= javascript_tag do %>
     window.emojicom_widget = { campaign: "<%= emojicom_campaign_id %>" };
   <% end %>
-  <%= javascript_include_tag 'https://cdn.emojicom.io/embed/widget.js', async: true, nonce: true %>
+  <%= javascript_include_tag 'https://cdn.emojicom.io/embed/widget.js', async: true %>
   <!-- End emojicom.io widget -->
 <% end %>
diff --git a/app/views/application/_head.html.erb b/app/views/application/_head.html.erb
index f07eb918f4d..caa52d9b98c 100644
--- a/app/views/application/_head.html.erb
+++ b/app/views/application/_head.html.erb
@@ -10,9 +10,7 @@
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <%= stylesheet_link_tag "docsearch", "application", media: "all" %>
 
-<%= javascript_include_tag "docsearch", nonce: true %>
-
-<%= csp_meta_tag %>
+<%= javascript_include_tag "docsearch" %>
 
 <meta name="referrer" content="origin-when-cross-origin" />
 
diff --git a/app/views/application/_helpscout.html.erb b/app/views/application/_helpscout.html.erb
index 0892fdec16a..6ddb7eb7ae3 100644
--- a/app/views/application/_helpscout.html.erb
+++ b/app/views/application/_helpscout.html.erb
@@ -1,2 +1,4 @@
-!function(e,t,n){function a(){var e=t.getElementsByTagName("script")[0],n=t.createElement("script");n.type="text/javascript",n.async=!0,n.src="https://beacon-v2.helpscout.net",e.parentNode.insertBefore(n,e)}if(e.Beacon=n=function(t,n,a){e.Beacon.readyQueue.push({method:t,options:n,data:a})},n.readyQueue=[],"complete"===t.readyState)return a();e.attachEvent?e.attachEvent("onload",a):e.addEventListener("load",a,!1)}(window,document,window.Beacon||function(){});
-window.Beacon('init', "<%= ENV.fetch('HELPSCOUT_BEACON_ID', "1d032e87-e8df-4c7f-a423-a6825b9752a2")%>");
+<%= javascript_tag do -%>
+  !function(e,t,n){function a(){var e=t.getElementsByTagName("script")[0],n=t.createElement("script");n.type="text/javascript",n.async=!0,n.src="https://beacon-v2.helpscout.net",e.parentNode.insertBefore(n,e)}if(e.Beacon=n=function(t,n,a){e.Beacon.readyQueue.push({method:t,options:n,data:a})},n.readyQueue=[],"complete"===t.readyState)return a();e.attachEvent?e.attachEvent("onload",a):e.addEventListener("load",a,!1)}(window,document,window.Beacon||function(){});
+  window.Beacon('init', "<%= ENV.fetch('HELPSCOUT_BEACON_ID', "1d032e87-e8df-4c7f-a423-a6825b9752a2")%>");
+<% end %>
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index f6a99db9019..1565223306a 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -32,6 +32,7 @@
 
   policy.script_src(
     :self,
+    :unsafe_inline,
     "https://www.googletagmanager.com/",
     "https://cdn.segment.com/",
     "https://cdn.emojicom.io/",
@@ -69,9 +70,6 @@
   policy.report_uri "/_csp-violation-reports"
 end
 
-# We use nonce for inline scripts
-Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
-
 # Report CSP violations to a specified URI
 # For further information see the following documentation:
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

From f6ebed4749220d0bd600d16783c52106d478eaa0 Mon Sep 17 00:00:00 2001
From: Chris Campbell <chris.c@buildkite.com>
Date: Mon, 24 Apr 2023 12:42:24 +1000
Subject: [PATCH 4/4] Remove "Dashboard" button

Signup / Login both redirect to the Dashboard
---
 app/views/application/_global_links.html.erb | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/app/views/application/_global_links.html.erb b/app/views/application/_global_links.html.erb
index 35b7f2546ce..6bc0e1a66ba 100644
--- a/app/views/application/_global_links.html.erb
+++ b/app/views/application/_global_links.html.erb
@@ -12,16 +12,10 @@
       </ul>
     </div>
   </li>
-  <% if probably_authenticated? %>
-    <li class="GlobalLinks__call-to-action">
-      <%= link_to "Dashboard", dashboard_path, class: "Button Button--purple Button--small" %>
-    </li>
-  <% else %>
-    <li>
-      <%= link_to "Login", "https://buildkite.com/login", class: "Button Button--link Button--small" %>
-    </li>
-    <li class="GlobalLinks__call-to-action">
-      <%= link_to "Sign up for free", "https://buildkite.com/signup", class: "Button Button--purple Button--small" %>
-    </li>
-  <% end %>
+  <li>
+    <%= link_to "Login", "https://buildkite.com/login", class: "Button Button--secondary Button--small" %>
+  </li>
+  <li class="GlobalLinks__call-to-action">
+    <%= link_to "Sign up", "https://buildkite.com/signup", class: "Button Button--purple Button--small" %>
+  </li>
 </ul>