[WEBUI-1498] Restrict object-src to 'none' in CSP - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: In Review
Priority: Minor
Resolution: Unresolved
Affects Version/s: 3.0.x, 3.1.x
Fix Version/s: 3.0.x, 3.1.x
Component/s: UI, Web UI

Epic Link:
NXUI: Enforce a stricter CSP policy by default
Tags:
- nxui
- nxui-triaged
- security
- ui
Sprint:
UI - 2024-8, UI COOLDOWN - 2024-7, UI COOLDOWN - 2024-9, UI - 2024-9, UI - 2024-12
Story Points:
5

Description

object-src is missing from CSP.
Evaluate if we can restrict object-src to 'none'

AC

- - CSP policy must keep compatibility with existing applications
    - To be tested with default UI
    - To be tested with a customized UI configured in Nuxeo Studio Designer
      - Specifically check for the import mechanism for which we are using a polyfill to keep compatibility

Attachments

Issue Links

is related to

NXP-32937 CSP errors shows on login page

In Progress

mentioned in: Page Loading...

Options

Sub-Tasks

1.

Resolved

Pranit SadashivSotre

Activity

People

Assignee:

Alok Ranjan

Reporter:

rakesh.kumarsingh@contractors.onbase.com

Participants:

Alok Ranjan, rakesh.kumarsingh@contractors.onbase.com

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2024-04-18 06:10

Updated:

2024-10-28 09:03