-
Type: Bug
-
Status: Resolved
-
Priority: Critical
-
Resolution: Fixed
-
Affects Version/s: 3.0.0
-
Component/s: Web UI
-
Tags:
-
Backlog priority:900
-
Sprint:UI COOLDOWN - 2024-01, UI - 2024-3, UI - 2024-4, UI - 2024-5, UI COOLDOWN - 2024-4
-
Story Points:5
The Content-Security-Policy defined for Nuxeo includes the insecure "unsafe-inline" directive without nonce or hash validation exposing it to XSS attacks.
https://cwe.mitre.org/data/definitions/829.html
https://content-security-policy.com/unsafe-inline/
Overriding the default policy with our custom CSP headers results in most of the Web components breaking (including the login page)
<extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="responseHeaders"> <header name="Content-Security-Policy">default-src 'self' https:; script-src 'self' https: 'unsafe-eval'; script-src-elem data: 'self' 'unsafe-eval' https:; style-src 'self' https: https://fonts.googleapis.com; style-src-elem 'self' https:; connect-src 'self' https: https://collect-us-east-1.tealiumiq.com https://ec.walkme.com wss://api.cobrowse.io; font-src 'self' https: data: https://fonts.gstatic.com;frame-src 'self' blob: https:;img-src 'self' data: https:;</header> </extension>
All inline scripts must be injected with a cryptographic nonce (number used once) or a hash, to ensure only trusted scripts are executed.
The existing CSP header policy of Nuxeo doesn't let remove 'unsafe-inline'.
Expected solutions:
1) have an alternate option to inject the nonces into the Nuxeo's Web UI elements: this could be in the form of an extension.
2) Otherwise manage the proper behavior of Nuxeo WebUI with the CSP header provided in the paragraph above
- is related to
-
WEBUI-1282 Allow Content Security Policy without "script-src data:"
- In Review
- links to