-
Type:
Bug
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 2.4.55
-
Component/s: Authentication
-
Release Notes Summary:Re-login works with stricter CSP.
-
Tags:
-
Backlog priority:700
-
Sprint:UI - 2021-13, UI - 2021-14, UI Cooldown - 2021-13, UI Cooldown - 2021-14
Link to re-authenticate after session expiring fails to run when CSP with script-src directive lacking 'unsafe-inline' 'unsafe-eval' while including org.nuxeo.web.ui.expressions.eval set to false (as seen in WEBUI-60). Following error seen in console:
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' data: connect.nuxeo.com apis.google.com app.box.com". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
Re-login link should work with CSP of the following form:
img-src data: blob: persistent-bucket-here app-vip-name-here; default-src blob: persistent-bucket-here *.company.com; script-src data: app-vip-here; style-src 'unsafe-inline' *.company.com; font-src data: *; connect-src persistent-bucket-here transient-bucket-here *.company.com; media-src persistent-bucket-here *.company.com"
- Is referenced in
