Actions
Bug #25712
open
CSP violations from status tab in utilities pages
Status:
Pending technical review
Priority:
N/A
Assignee:
Category:
Security
Target version:
Pull Request:
Severity:
Trivial - no functional impact | cosmetic
UX impact:
User visibility:
First impressions of Rudder
Effort required:
Small
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No
Description
In 8.2 only the "Utilities" menu in Rudder has strict CSP headers enabled, see #25032.
This means script tags need an unique valid nonce attribute.
But it appears that when loading theses pages, there are some CSP violations from some scripts that were added to render the "Status" tab in #25527, that have a different value than the one used for the script tags within the page.
The error log that is produced :
WARN application - Content security policy violation: blocked inline in http://localhost:8080/rudder/secure/utilities/archiveManagement?continue because of script-src-elem directive
(notice that the violation is not enforced in dev mode which makes it not detectable unless we pay attention to error logs and console errors, because we have the Content-Security-Policy-Report-Only header, we should also enforce it by only using Content-Security-Policy and X-Content-Security-Policy headers)
Files
Updated by 
Actions