Bug #25712
closedCSP violations from status tab in utilities pages
Description
In 8.2 only the "Utilities" menu in Rudder has strict CSP headers enabled, see #25032.
This means script
tags need an unique valid nonce
attribute.
But it appears that when loading theses pages, there are some CSP violations from some scripts that were added to render the "Status" tab in #25527, that have a different value than the one used for the script tags within the page.
The error log that is produced :
WARN application - Content security policy violation: blocked inline in http://localhost:8080/rudder/secure/utilities/archiveManagement?continue because of script-src-elem directive
(notice that the violation is not enforced in dev mode which makes it not detectable unless we pay attention to error logs and console errors, because we have the Content-Security-Policy-Report-Only
header, we should also enforce it by only using Content-Security-Policy
and X-Content-Security-Policy
headers)
Files
Updated by Clark ANDRIANASOLO about 2 months ago
- Related to Bug #25527: List techniques with compilation failure in bar for generation status added
- Related to Bug #25032: Use Content-Security-Policy strict headers in utilities pages added
Updated by Clark ANDRIANASOLO about 2 months ago · Edited
- File clipboard-202410211802-fhweb.png clipboard-202410211802-fhweb.png added
- File clipboard-202410211802-5uu5d.png clipboard-202410211802-5uu5d.png added
- File clipboard-202410211802-yz8zl.png clipboard-202410211802-yz8zl.png added
The scripts in error involve generic CSS selectors and could be put in a global context within the request that has access to the page nonce to solve the issue.
Ans since we use buttons to open in a new page we will have some pain rewriting using the same CSP, so we likely need to rewrite buttons into a
links.
The errors I saw with 3 nonce values that are not the ones allowed in the page :
Updated by Clark ANDRIANASOLO about 2 months ago
- Related to Bug #25715: Avoid Content-Security-Policy-Report-Only headers in dev mode added
Updated by Clark ANDRIANASOLO about 1 month ago
- Priority changed from To review to N/A
Updated by Clark ANDRIANASOLO about 1 month ago
- Status changed from New to In progress
Updated by Clark ANDRIANASOLO about 1 month ago
- Status changed from In progress to Pending technical review
- Assignee changed from Clark ANDRIANASOLO to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/5966
Updated by Vincent MEMBRÉ about 1 month ago
- Target version changed from 8.2.0 to 8.2.1
Updated by Clark ANDRIANASOLO about 1 month ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|89afd337c2f1674a86c4e1b69fd18cb55831e3db.
Updated by Vincent MEMBRÉ 28 days ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 8.2.1 which was released today.