-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 8.10
-
Component/s: Web Common
The Content-Security-Policy header is useful to protect against a variety of attacks, one of them being clickjacking (https://www.owasp.org/index.php/Clickjacking).
We should allow this header to be present and configurable.
Note that all this can be easily mitigated by adding proper headers in a proxy server (https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options), but it's better to do it directly in Nuxeo.
Note that NXP-19629 already adds a separate X-Frame-Options header and is simpler to configure.
Nuxeo now includes a permissive Content-Security-Policy. The default Nuxeo configuration is:
<header name="Content-Security-Policy">default-src *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *</header>
A stricter policy can be defined using a contribution like:
<require>org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib</require> <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="responseHeaders"> <header name="Content-Security-Policy">default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: connect.nuxeo.com apis.google.com app.box.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self'; font-src 'self' data: fonts.gstatic.com; media-src 'self'; frame-src 'self' www.nuxeo.com accounts.google.com; frame-ancestors 'self'</header> </extension>
