Project

General

Profile

Actions
Copy link

Bug #24062

closed

Implementing CSP headers without duplicating Lift scripts

Added by Clark ANDRIANASOLO 10 months ago. Updated 8 months ago.

Status:
Released
Priority:
N/A
Assignee:
François ARMAND
Category:
Security
Target version:
8.1.0~beta1
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
User visibility:
Effort required:
Small
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

When we implemented CSP headers we found out that the Lift web framework appends scripts to the HTML response, and there is no convenient way to hook into the scripts and add nonce attributes to them. So we allowed duplicate scripts, one we added with a nonce and another one added by Lift, causing a CSP violation in the browser (healthcheck page only).

We should find a way to avoid the duplication.

Also we should fix all current violations on the healthcheck page :

Files

Download all files
clipboard-202401231748-btx8j.png (16.3 KB) clipboard-202401231748-btx8j.png Clark ANDRIANASOLO, 2024-01-23 17:48
clipboard-202401231748-8wohf.png (16.3 KB) clipboard-202401231748-8wohf.png Clark ANDRIANASOLO, 2024-01-23 17:48

Related issues 2 (0 open2 closed)

Related to Rudder - Bug #24016: Implement CSP strict headers with nonce and apply to healtcheck pageReleasedFrançois ARMANDActions
Related to Rudder - Bug #24041: Fix default font size and menu toggleReleasedVincent MEMBRÉActions
Actions
Copy link

Also available in: Atom PDF