Implement a 'Content Security Policy'

[Nicklas Nordborg]

A 'Content Security Policy' can be used to white-list allowed javascript and style sheet usage. Everything else is blocked which makes it a good protection against cross-site scripting (XSS) attacks. Read more here:

​http://www.html5rocks.com/en/tutorials/security/content-security-policy/

I guess this will not happen for some time since browser support is only experimental and BASE is basically full of inline javascript and CSS that need to be moved to external files. It's a lot of work and probably require a different approach to how the gui is created.

The following tickets are related to this and need to be fixed first: #1727, #1729, #1730

[Nicklas Nordborg]

(In [6406]) References #1712: Implement a 'Content Security Policy'

Create a filter implementat that add a Content Security Policy header to the HTTP response for all requests. It is enabled and strict by default. This may cause problems with extensions that use inline javascript so we should build some kind of detection for this.

[Nicklas Nordborg]

(In [6407]) References #1712: Implement a 'Content Security Policy'

Added UnsafeScriptable interface which should be used to mark all extension points (eg Action interfaces) that have a possibility to generate unsafe inline scripts.

Added method to ContentSecurityPolicyFilter that checks if the current configuration allows inline scripts or not.

[Nicklas Nordborg]

(In [6408]) References #1712: Implement a 'Content Security Policy'

Added possibility for extension to add extra attributes to the <about> tag in the extensions.xml file.

A test has been implemented in ExtensionsControl that check extensions for 'safe-scripts' attribute in the <about> tag. The check is only made if the server disallows unsafe scripts and if the extension point has been tagged with UnsafeScriptable. The intention is to display a warning message when an administrator try to install an extension that uses unsafe scripts on a server that doesn't allow them to execute.

[Nicklas Nordborg]

(In [6409]) References #1712: Implement a 'Content Security Policy'

Added information and warning messages to various places in the extensions overview and installation wizard.

[Nicklas Nordborg]

(In [6410]) References #1712: Implement a 'Content Security Policy'

Updated documentation to include some (minimal) information about content security policy.

[Nicklas Nordborg]

(In [6417]) References #1712: Implement a 'Content Security Policy'

Added support for relaxing the security policy for extensions that asks for it by setting <about safe-resources="0"> in their extensions.xml definition file.

[Nicklas Nordborg]

(In [6418]) References #1712: Implement a 'Content Security Policy'

Fixes the CompileAll servlet so that it is possible to display the error messages.

[Nicklas Nordborg]

(In [6466]) References #1712: Implement a 'Content Security Policy'

Lost some information after registering extensions causing BASE to incorrectly display 'This extension may violate the Content Security Policy setting on this server...' warning for extensions that was tagged with safe-scripts="1"

[Nicklas Nordborg]

(In [6485]) References #1712: Implement a 'Content Security Policy'

Allow 'data:' URLs for images.

[Nicklas Nordborg]

(In [6494]) References #1712: Implement a 'Content Security Policy'

Rearranged documentation about content security policy so that it appears in the table of contents and is easier to find.