Uploaded image for project: 'Nuxeo Web UI'
  1. Nuxeo Web UI
  2. WEBUI-1446

Manage CSP headers without the insecure "unsafe-inline" directive

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.0.0
    • Fix Version/s: 3.0.x, 3.1.x
    • Component/s: Web UI

      Description

      The Content-Security-Policy defined for Nuxeo includes the insecure "unsafe-inline" directive without nonce or hash validation exposing it to XSS attacks.

      https://cwe.mitre.org/data/definitions/829.html

      https://content-security-policy.com/unsafe-inline/

      Overriding the default policy with our custom CSP headers results in most of the Web components breaking (including the login page)

        <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="responseHeaders">
          <header name="Content-Security-Policy">default-src 'self' https:; script-src 'self' https: 'unsafe-eval'; script-src-elem data: 'self' 'unsafe-eval' https:; style-src 'self' https: https://fonts.googleapis.com; style-src-elem 'self' https:; connect-src 'self' https: https://collect-us-east-1.tealiumiq.com https://ec.walkme.com wss://api.cobrowse.io; font-src 'self' https: data: https://fonts.gstatic.com;frame-src 'self' blob: https:;img-src 'self' data: https:;</header>
        </extension>
      

      All inline scripts must be injected with a cryptographic nonce (number used once) or a hash, to ensure only trusted scripts are executed.

      The existing CSP header policy of Nuxeo doesn't let remove 'unsafe-inline'.

      Expected solutions:

      1) have an alternate option to inject the nonces into the Nuxeo's Web UI elements: this could be in the form of an extension.

      2) Otherwise manage the proper behavior of Nuxeo WebUI with the CSP header provided in the paragraph above

        Attachments

        1. 2023_without_unsafe_inline_csp.mp4
          10.54 MB
          rakesh.kumarsingh@contractors.onbase.com
        2. Screen Recording 2024-05-06 at 1.35.48 PM.mp4
          1.39 MB
          nsingh@ext.nuxeo.com

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: