-
Type:
Improvement
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 3.0.0
-
Component/s: UI
-
Tags:
-
Backlog priority:800
-
Sprint:UI - 2023-10, UI - 2023-11, UI COOLDOWN - 2023-10, UI - 2024-5
-
Story Points:5
In Content Security Policies (CSP), the data: directive of script-src can be considered insecure - similar to usages of unsafe-eval and unsafe-inline.
While WEBUI-60 allows for the removal of unsafe-eval and unsafe-inline from the CSP by disabling org.nuxeo.web.ui.expressions.eval, this does not prevent browser errors from occurring when the data: directive is removed. There should be a mechanism to allow Polymer scripts to execute without the need for this policy directive.
Steps to Reproduce:
1. Set the following contribution (via XML extension or configuration template):
<require>org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib</require> <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="responseHeaders"> <header name="Content-Security-Policy">default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: www.nuxeo.com; font-src * data:; media-src 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';</header> </extension> <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration"> <property name="org.nuxeo.web.ui.expressions.eval">false</property> </extension>
2. Login to the instance via Web UI
Expected behavior: nuxeo-home loads; page is traversible
Actual behavior: nuxeo-home is blank; several errors outputted in the browser console (see screenshot).
Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
- is related to
-
WEBUI-1446 Manage CSP headers without the insecure "unsafe-inline" directive
-
- In Progress
-
