-
Type: Epic
-
Status: Open
-
Priority: Major
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: UI
-
Tags:
Goal is to find the strictest policy we can enforce by default without breaking existing applications.
Current CSP
<header name="Content-Security-Policy">img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *</header>
Issues with current CSP
- Remove usage of 'unsafe-eval'. It is easily misused and can lead to various XSS vulnerabilities.
- Remove usage of 'unsafe-inline'
- for scripting
- can be kept for style-src
- Try getting rid of data: and blob:. As much as possible, use only with font-src, img-src, media-src, child-src, worker-src, frame-src, connect-src. Using script-src data: or script-src blob: could be considered an equivalent of script-src 'unsafe-eval'.
- default-src: should not allow '*' as source
- script-src should not allow '*' as source
- object-src [missing]: see if we can restrict object-src to 'none'
AC
- CSP policy must keep compatibility with existing applications
- To be tested with default UI
- To be tested with a customized UI configured in Nuxeo Studio Designer
- Specifically check for the import mechanism for which we are using a polyfill to keep compatibility
- New CSP policy scope must be clarified
- Provide a way for customers to test the change
- Customers must have a way to go back to the existing policy if they require it: could be that we provide documentation on how to do that because this is already doable