Project

General

Profile

Actions
Copy link

Bug #25712

open

CSP violations from status tab in utilities pages

Added by Clark ANDRIANASOLO 4 days ago. Updated about 14 hours ago.

Status:
Pending technical review
Priority:
N/A
Assignee:
François ARMAND
Category:
Security
Target version:
8.2.0~rc2
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
Trivial - no functional impact | cosmetic
UX impact:
User visibility:
First impressions of Rudder
Effort required:
Small
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

In 8.2 only the "Utilities" menu in Rudder has strict CSP headers enabled, see #25032.
This means script tags need an unique valid nonce attribute.
But it appears that when loading theses pages, there are some CSP violations from some scripts that were added to render the "Status" tab in #25527, that have a different value than the one used for the script tags within the page.

The error log that is produced : 

WARN  application - Content security policy violation: blocked inline in http://localhost:8080/rudder/secure/utilities/archiveManagement?continue because of script-src-elem directive

(notice that the violation is not enforced in dev mode which makes it not detectable unless we pay attention to error logs and console errors, because we have the Content-Security-Policy-Report-Only header, we should also enforce it by only using Content-Security-Policy and X-Content-Security-Policy headers)

Files

Download all files
clipboard-202410211802-fhweb.png (63 KB) clipboard-202410211802-fhweb.png Clark ANDRIANASOLO, 2024-10-21 18:02
clipboard-202410211802-5uu5d.png (63 KB) clipboard-202410211802-5uu5d.png Clark ANDRIANASOLO, 2024-10-21 18:02
clipboard-202410211802-yz8zl.png (110 KB) clipboard-202410211802-yz8zl.png Clark ANDRIANASOLO, 2024-10-21 18:02

Related issues 3 (1 open2 closed)

Related to Rudder - Bug #25527: List techniques with compilation failure in bar for generation statusReleasedFrançois ARMANDActions
Related to Rudder - Bug #25032: Use Content-Security-Policy strict headers in utilities pagesReleasedFrançois ARMANDActions
Related to Rudder - Bug #25715: Avoid Content-Security-Policy-Report-Only headers in dev modePending technical reviewAlexis MoussetActions
Actions
Copy link
 #1

Updated by Clark ANDRIANASOLO 4 days ago

  • Related to Bug #25527: List techniques with compilation failure in bar for generation status added
  • Related to Bug #25032: Use Content-Security-Policy strict headers in utilities pages added
Actions
Copy link Download all files
 #2

Updated by Clark ANDRIANASOLO 4 days ago · Edited

The scripts in error involve generic CSS selectors and could be put in a global context within the request that has access to the page nonce to solve the issue.
Ans since we use buttons to open in a new page we will have some pain rewriting using the same CSP, so we likely need to rewrite buttons into a links.
The errors I saw with 3 nonce values that are not the ones allowed in the page :

Actions
Copy link
 #3

Updated by Clark ANDRIANASOLO 4 days ago

  • Description updated (diff)
Actions
Copy link
 #4

Updated by Clark ANDRIANASOLO 4 days ago

  • Related to Bug #25715: Avoid Content-Security-Policy-Report-Only headers in dev mode added
Actions
Copy link
 #5

Updated by Clark ANDRIANASOLO 2 days ago

  • Priority changed from To review to N/A
Actions
Copy link
 #6

Updated by Clark ANDRIANASOLO about 14 hours ago

  • Status changed from New to In progress
Actions
Copy link
 #7

Updated by Clark ANDRIANASOLO about 14 hours ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Clark ANDRIANASOLO to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/5966
Actions
Copy link

Also available in: Atom PDF