[WEBUI-1497] CSP should not allow '*' as source for default-src & script-src - Nuxeo Issue Tracker

XML

Word

Printable

Epic Link:
NXUI: Enforce a stricter CSP policy by default
Tags:
- nxui
- nxui-triaged
- security
- ui
Sprint:
UI - 2024-6, UI - 2024-7, UI - 2024-8, UI COOLDOWN - 2024-6, UI COOLDOWN - 2024-7, UI - 2024-9, UI - 2024-12
Story Points:
5

- CSP policy must keep compatibility with existing applications
  - To be tested with default UI
  - To be tested with a customized UI configured in Nuxeo Studio Designer
    - Specifically check for the import mechanism for which we are using a polyfill to keep compatibility

depends on

WEBUI-1282 Allow Content Security Policy without "script-src data:"

is related to

NXP-32879 NUXEO API Documentation page did not display list of items

WEBUI-1575 The content of the spreadsheet popup did not load correctly

WEBUI-1579 Clear button in select all functionality shows csp error

Resolved

Estimated:

1w 4d 1h

Remaining:

1w 2d 2h

Logged:

1d 6h

Include sub-tasks