Uploaded image for project: 'Nuxeo Web UI'
  1. Nuxeo Web UI
  2. WEBUI-1282

Allow Content Security Policy without "script-src data:"

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: In Review
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.0.0
    • Fix Version/s: 3.0.x, 3.1.x
    • Component/s: UI

      Description

      In Content Security Policies (CSP), the data: directive of script-src can be considered insecure - similar to usages of unsafe-eval and unsafe-inline.

      While WEBUI-60 allows for the removal of unsafe-eval and unsafe-inline from the CSP by disabling org.nuxeo.web.ui.expressions.eval, this does not prevent browser errors from occurring when the data: directive is removed. There should be a mechanism to allow Polymer scripts to execute without the need for this policy directive.

      Steps to Reproduce:

      1. Set the following contribution (via XML extension or configuration template):

      <require>org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib</require>
<extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="responseHeaders">
   <header name="Content-Security-Policy">default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: www.nuxeo.com; font-src * data:; media-src 'self'; frame-src 'self'; frame-ancestors 'self'; object-src 'none';</header>
</extension>

<extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
   <property name="org.nuxeo.web.ui.expressions.eval">false</property>
</extension>

      2. Login to the instance via Web UI

      Expected behavior: nuxeo-home loads; page is traversible

      Actual behavior: nuxeo-home is blank; several errors outputted in the browser console (see screenshot).

      Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-32879 NUXEO API Documentation page did not display list of items

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. WEBUI-1575 The content of the spreadsheet popup did not load correctly

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. WEBUI-1579 Clear button in select all functionality shows csp error

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. WEBUI-1446 Manage CSP headers without the insecure "unsafe-inline" directive

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is required by

          Bug - A problem which impairs or prevents the functions of the product. WEBUI-1497 CSP should not allow '*' as source for default-src & script-src

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • In Review

          Task - A task that needs to be done. ELEMENTS-1759 Allow Content Security Policy without "script-src data:"

          • Major - Major loss of function.
          • In Review
          links to

          Web Link LTS-2021

          Web Link LTS-2023

          mentioned in

          Page Loading...

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 day Original Estimate - 1 day
                  1d
                  Remaining:
                  Time Spent - 4 days, 5 minutes Remaining Estimate - 3 hours
                  3h
                  Logged:
                  Time Spent - 4 days, 5 minutes Remaining Estimate - 3 hours
                  4d 5m