Uploaded image for project: 'Nuxeo Web UI'
  1. Nuxeo Web UI
  2. WEBUI-1446

Manage CSP headers without the insecure "unsafe-inline" directive

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.0.0
    • Fix Version/s: 3.0.x, 3.1.x
    • Component/s: Web UI

      Description

      The Content-Security-Policy defined for Nuxeo includes the insecure "unsafe-inline" directive without nonce or hash validation exposing it to XSS attacks.

      https://cwe.mitre.org/data/definitions/829.html

      https://content-security-policy.com/unsafe-inline/

      Overriding the default policy with our custom CSP headers results in most of the Web components breaking (including the login page)

        <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="responseHeaders">
          <header name="Content-Security-Policy">default-src 'self' https:; script-src 'self' https: 'unsafe-eval'; script-src-elem data: 'self' 'unsafe-eval' https:; style-src 'self' https: https://fonts.googleapis.com; style-src-elem 'self' https:; connect-src 'self' https: https://collect-us-east-1.tealiumiq.com https://ec.walkme.com wss://api.cobrowse.io; font-src 'self' https: data: https://fonts.gstatic.com;frame-src 'self' blob: https:;img-src 'self' data: https:;</header>
        </extension>
      

      All inline scripts must be injected with a cryptographic nonce (number used once) or a hash, to ensure only trusted scripts are executed.

      The existing CSP header policy of Nuxeo doesn't let remove 'unsafe-inline'.

      Expected solutions:

      1) have an alternate option to inject the nonces into the Nuxeo's Web UI elements: this could be in the form of an extension.

      2) Otherwise manage the proper behavior of Nuxeo WebUI with the CSP header provided in the paragraph above

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: