Uploaded image for project: 'Nuxeo Web UI'
  1. Nuxeo Web UI
  2. WEBUI-1497

CSP should not allow '*' as source for default-src & script-src

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.0.x, 3.1.x
    • Fix Version/s: 3.0.x, 3.1.x
    • Component/s: UI, Web UI

      Description

      • default-src: should not allow '*' as source
      • script-src should not allow '*' as source

      AC

        • CSP policy must keep compatibility with existing applications
          • To be tested with default UI
          • To be tested with a customized UI configured in Nuxeo Studio Designer
            • Specifically check for the import mechanism for which we are using a polyfill to keep compatibility

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: