Uploaded image for project: 'Nuxeo Web UI'
  1. Nuxeo Web UI
  2. WEBUI-1495

NXUI: Enforce a stricter CSP policy by default

    XMLWordPrintable

    Details

    • Type: Epic
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: UI

      Description

      Goal is to find the strictest policy we can enforce by default without breaking existing applications.

       

      Current CSP

      <header name="Content-Security-Policy">img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *</header>

       

      Issues with current CSP

      • Remove usage of 'unsafe-eval'. It is easily misused and can lead to various XSS vulnerabilities.
      • Remove usage of 'unsafe-inline' 
        • for scripting
        • can be kept for style-src 
      • Try getting rid of data: and blob:. As much as possible, use only with font-srcimg-srcmedia-srcchild-srcworker-srcframe-srcconnect-src. Using script-src data: or script-src blob: could be considered an equivalent of script-src 'unsafe-eval'.
      • default-src: should not allow '*' as source
      • script-src should not allow '*' as source
      • object-src [missing]: see if we can restrict object-src to 'none'

       

      AC

      • CSP policy must keep compatibility with existing applications
        • To be tested with default UI
        • To be tested with a customized UI configured in Nuxeo Studio Designer
          • Specifically check for the import mechanism for which we are using a polyfill to keep compatibility

       

      • New CSP policy scope must be clarified
        • Provide a way for customers to test the change
        • Customers must have a way to go back to the existing policy if they require it: could be that we provide documentation on how to do that because this is already doable

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bchauvin Bertrand Chauvin
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: