Uploaded image for project: 'Nuxeo Web UI'
  1. Nuxeo Web UI
  2. WEBUI-1497

CSP should not allow '*' as source for default-src & script-src

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.0.x, 3.1.x
    • Fix Version/s: 3.0.x, 3.1.x
    • Component/s: UI, Web UI

      Description

      • default-src: should not allow '*' as source
      • script-src should not allow '*' as source

      AC

        • CSP policy must keep compatibility with existing applications
          • To be tested with default UI
          • To be tested with a customized UI configured in Nuxeo Studio Designer
            • Specifically check for the import mechanism for which we are using a polyfill to keep compatibility

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - 1 week, 4 days, 1 hour
                1w 4d 1h
                Remaining:
                Time Spent - 1 day, 1 hour Remaining Estimate - 1 week, 3 days
                1w 3d
                Logged:
                Time Spent - 1 day, 1 hour Remaining Estimate - 1 week, 3 days
                1d 1h