Uploaded image for project: 'Nuxeo Web UI'
  1. Nuxeo Web UI
  2. WEBUI-1496

Remove usage of 'unsafe-eval' from CSP

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Progress
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.0.x, 3.1.x
    • Fix Version/s: 3.0.x, 3.1.x
    • Component/s: UI, Web UI

      Description

      • Remove usage of 'unsafe-eval'.
      • It is easily misused and can lead to various XSS vulnerabilities.

      Current CSP

      <header name="Content-Security-Policy">img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *</header>

       

      AC

      • CSP policy must keep compatibility with existing applications
        • To be tested with default UI
        • To be tested with a customized UI configured in Nuxeo Studio Designer
          • Specifically check for the import mechanism for which we are using a polyfill to keep compatibility

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. ELEMENTS-1682 Ensure JS arrow function used in nuxeo-filter works when expressions eval is disabled

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: