Uploaded image for project: 'Nuxeo Web UI'
  1. Nuxeo Web UI
  2. WEBUI-1497

CSP should not allow '*' as source for default-src & script-src

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Review
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.0.x, 3.1.x
    • Fix Version/s: 3.0.x, 3.1.x
    • Component/s: UI, Web UI

      Description

      • default-src: should not allow '*' as source
      • script-src should not allow '*' as source

      AC

        • CSP policy must keep compatibility with existing applications
          • To be tested with default UI
          • To be tested with a customized UI configured in Nuxeo Studio Designer
            • Specifically check for the import mechanism for which we are using a polyfill to keep compatibility

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 week, 4 days, 1 hour
                  1w 4d 1h
                  Remaining:
                  Time Spent - 1 day, 6 hours Remaining Estimate - 1 week, 2 days, 2 hours
                  1w 2d 2h
                  Logged:
                  Time Spent - 1 day, 6 hours Remaining Estimate - 1 week, 2 days, 2 hours
                  1d 6h