Opened 5 years ago

Closed 4 years ago

Last modified 3 years ago

#1712 closed task (fixed)

Implement a 'Content Security Policy'

Reported by: nicklas Owned by: nicklas
Priority: major Milestone: BASE 3.3
Component: web Version:
Keywords: Cc:

Description (last modified by nicklas)

A 'Content Security Policy' can be used to white-list allowed javascript and style sheet usage. Everything else is blocked which makes it a good protection against cross-site scripting (XSS) attacks. Read more here:

http://www.html5rocks.com/en/tutorials/security/content-security-policy/

I guess this will not happen for some time since browser support is only experimental and BASE is basically full of inline javascript and CSS that need to be moved to external files. It's a lot of work and probably require a different approach to how the gui is created.

The following tickets are related to this and need to be fixed first: #1727, #1729, #1730

Change History (13)

comment:1 Changed 5 years ago by nicklas

  • Description modified (diff)

comment:2 Changed 4 years ago by nicklas

  • Milestone changed from BASE Future Release to BASE 3.3
  • Owner changed from everyone to nicklas
  • Status changed from new to assigned

comment:3 Changed 4 years ago by nicklas

(In [6406]) References #1712: Implement a 'Content Security Policy'

Create a filter implementat that add a Content Security Policy header to the HTTP response for all requests. It is enabled and strict by default. This may cause problems with extensions that use inline javascript so we should build some kind of detection for this.

comment:4 Changed 4 years ago by nicklas

(In [6407]) References #1712: Implement a 'Content Security Policy'

Added UnsafeScriptable interface which should be used to mark all extension points (eg Action interfaces) that have a possibility to generate unsafe inline scripts.

Added method to ContentSecurityPolicyFilter that checks if the current configuration allows inline scripts or not.

comment:5 Changed 4 years ago by nicklas

(In [6408]) References #1712: Implement a 'Content Security Policy'

Added possibility for extension to add extra attributes to the <about> tag in the extensions.xml file.

A test has been implemented in ExtensionsControl that check extensions for 'safe-scripts' attribute in the <about> tag. The check is only made if the server disallows unsafe scripts and if the extension point has been tagged with UnsafeScriptable. The intention is to display a warning message when an administrator try to install an extension that uses unsafe scripts on a server that doesn't allow them to execute.

comment:6 Changed 4 years ago by nicklas

(In [6409]) References #1712: Implement a 'Content Security Policy'

Added information and warning messages to various places in the extensions overview and installation wizard.

comment:7 Changed 4 years ago by nicklas

(In [6410]) References #1712: Implement a 'Content Security Policy'

Updated documentation to include some (minimal) information about content security policy.

comment:8 Changed 4 years ago by nicklas

(In [6417]) References #1712: Implement a 'Content Security Policy'

Added support for relaxing the security policy for extensions that asks for it by setting <about safe-resources="0"> in their extensions.xml definition file.

comment:9 Changed 4 years ago by nicklas

  • Resolution set to fixed
  • Status changed from assigned to closed

comment:10 Changed 4 years ago by nicklas

(In [6418]) References #1712: Implement a 'Content Security Policy'

Fixes the CompileAll servlet so that it is possible to display the error messages.

comment:11 Changed 3 years ago by nicklas

(In [6466]) References #1712: Implement a 'Content Security Policy'

Lost some information after registering extensions causing BASE to incorrectly display 'This extension may violate the Content Security Policy setting on this server...' warning for extensions that was tagged with safe-scripts="1"

comment:12 Changed 3 years ago by nicklas

(In [6485]) References #1712: Implement a 'Content Security Policy'

Allow 'data:' URLs for images.

comment:13 Changed 3 years ago by nicklas

(In [6494]) References #1712: Implement a 'Content Security Policy'

Rearranged documentation about content security policy so that it appears in the table of contents and is easier to find.

Note: See TracTickets for help on using tickets.