#1712 closed task (fixed)
Implement a 'Content Security Policy'
Reported by: | Nicklas Nordborg | Owned by: | Nicklas Nordborg |
---|---|---|---|
Priority: | major | Milestone: | BASE 3.3 |
Component: | web | Version: | |
Keywords: | Cc: |
Description (last modified by )
A 'Content Security Policy' can be used to white-list allowed javascript and style sheet usage. Everything else is blocked which makes it a good protection against cross-site scripting (XSS) attacks. Read more here:
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
I guess this will not happen for some time since browser support is only experimental and BASE is basically full of inline javascript and CSS that need to be moved to external files. It's a lot of work and probably require a different approach to how the gui is created.
The following tickets are related to this and need to be fixed first: #1727, #1729, #1730
Change History (13)
comment:1 by , 12 years ago
Description: | modified (diff) |
---|
comment:2 by , 11 years ago
Milestone: | BASE Future Release → BASE 3.3 |
---|---|
Owner: | changed from | to
Status: | new → assigned |
comment:3 by , 11 years ago
comment:4 by , 11 years ago
(In [6407]) References #1712: Implement a 'Content Security Policy'
Added UnsafeScriptable
interface which should be used to mark all extension points (eg Action
interfaces) that have a possibility to generate unsafe inline scripts.
Added method to ContentSecurityPolicyFilter
that checks if the current configuration allows inline scripts or not.
comment:5 by , 11 years ago
(In [6408]) References #1712: Implement a 'Content Security Policy'
Added possibility for extension to add extra attributes to the <about> tag in the extensions.xml file.
A test has been implemented in ExtensionsControl
that check extensions for 'safe-scripts' attribute in the <about> tag. The check is only made if the server disallows unsafe scripts and if the extension point has been tagged with UnsafeScriptable
. The intention is to display a warning message when an administrator try to install an extension that uses unsafe scripts on a server that doesn't allow them to execute.
comment:6 by , 11 years ago
comment:7 by , 11 years ago
comment:8 by , 11 years ago
comment:9 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
(In [6406]) References #1712: Implement a 'Content Security Policy'
Create a filter implementat that add a Content Security Policy header to the HTTP response for all requests. It is enabled and strict by default. This may cause problems with extensions that use inline javascript so we should build some kind of detection for this.