[WEBUI-1498] Restrict object-src to 'none' in CSP - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 3.0.x, 3.1.x
Fix Version/s: 3.0.x, 3.1.x
Component/s: UI, Web UI

Epic Link:
NXUI: Enforce a stricter CSP policy by default
Tags:
- nxui
- nxui-triaged
- ui
Sprint:
UI - 2024-5

Description

object-src is missing from CSP.
Evaluate if we can restrict object-src to 'none'

AC

- - CSP policy must keep compatibility with existing applications
    - To be tested with default UI
    - To be tested with a customized UI configured in Nuxeo Studio Designer
      - Specifically check for the import mechanism for which we are using a polyfill to keep compatibility

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

rakesh.kumarsingh@contractors.onbase.com

Participants:

rakesh.kumarsingh@contractors.onbase.com

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2024-04-18 06:10

Updated:

5 days ago 09:25