Opened 7 years ago

Closed 5 years ago

Last modified 5 years ago

#1712 closed task (fixed)

Implement a 'Content Security Policy'

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: BASE 3.3
Component: web Version:
Keywords: Cc:

Description (last modified by Nicklas Nordborg)

A 'Content Security Policy' can be used to white-list allowed javascript and style sheet usage. Everything else is blocked which makes it a good protection against cross-site scripting (XSS) attacks. Read more here:

http://www.html5rocks.com/en/tutorials/security/content-security-policy/

I guess this will not happen for some time since browser support is only experimental and BASE is basically full of inline javascript and CSS that need to be moved to external files. It's a lot of work and probably require a different approach to how the gui is created.

The following tickets are related to this and need to be fixed first: #1727, #1729, #1730

Change History (13)

comment:1 Changed 7 years ago by Nicklas Nordborg

Description: modified (diff)

comment:2 Changed 5 years ago by Nicklas Nordborg

Milestone: BASE Future ReleaseBASE 3.3
Owner: changed from everyone to Nicklas Nordborg
Status: newassigned

comment:3 Changed 5 years ago by Nicklas Nordborg

(In [6406]) References #1712: Implement a 'Content Security Policy'

Create a filter implementat that add a Content Security Policy header to the HTTP response for all requests. It is enabled and strict by default. This may cause problems with extensions that use inline javascript so we should build some kind of detection for this.

comment:4 Changed 5 years ago by Nicklas Nordborg

(In [6407]) References #1712: Implement a 'Content Security Policy'

Added UnsafeScriptable interface which should be used to mark all extension points (eg Action interfaces) that have a possibility to generate unsafe inline scripts.

Added method to ContentSecurityPolicyFilter that checks if the current configuration allows inline scripts or not.

comment:5 Changed 5 years ago by Nicklas Nordborg

(In [6408]) References #1712: Implement a 'Content Security Policy'

Added possibility for extension to add extra attributes to the <about> tag in the extensions.xml file.

A test has been implemented in ExtensionsControl that check extensions for 'safe-scripts' attribute in the <about> tag. The check is only made if the server disallows unsafe scripts and if the extension point has been tagged with UnsafeScriptable. The intention is to display a warning message when an administrator try to install an extension that uses unsafe scripts on a server that doesn't allow them to execute.

comment:6 Changed 5 years ago by Nicklas Nordborg

(In [6409]) References #1712: Implement a 'Content Security Policy'

Added information and warning messages to various places in the extensions overview and installation wizard.

comment:7 Changed 5 years ago by Nicklas Nordborg

(In [6410]) References #1712: Implement a 'Content Security Policy'

Updated documentation to include some (minimal) information about content security policy.

comment:8 Changed 5 years ago by Nicklas Nordborg

(In [6417]) References #1712: Implement a 'Content Security Policy'

Added support for relaxing the security policy for extensions that asks for it by setting <about safe-resources="0"> in their extensions.xml definition file.

comment:9 Changed 5 years ago by Nicklas Nordborg

Resolution: fixed
Status: assignedclosed

comment:10 Changed 5 years ago by Nicklas Nordborg

(In [6418]) References #1712: Implement a 'Content Security Policy'

Fixes the CompileAll servlet so that it is possible to display the error messages.

comment:11 Changed 5 years ago by Nicklas Nordborg

(In [6466]) References #1712: Implement a 'Content Security Policy'

Lost some information after registering extensions causing BASE to incorrectly display 'This extension may violate the Content Security Policy setting on this server...' warning for extensions that was tagged with safe-scripts="1"

comment:12 Changed 5 years ago by Nicklas Nordborg

(In [6485]) References #1712: Implement a 'Content Security Policy'

Allow 'data:' URLs for images.

comment:13 Changed 5 years ago by Nicklas Nordborg

(In [6494]) References #1712: Implement a 'Content Security Policy'

Rearranged documentation about content security policy so that it appears in the table of contents and is easier to find.

Note: See TracTickets for help on using tickets.