Project

General

Profile

Actions

Bug #25712

closed

CSP violations from status tab in utilities pages

Added by Clark ANDRIANASOLO about 1 month ago. Updated 14 days ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Trivial - no functional impact | cosmetic
UX impact:
User visibility:
First impressions of Rudder
Effort required:
Small
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

In 8.2 only the "Utilities" menu in Rudder has strict CSP headers enabled, see #25032.
This means script tags need an unique valid nonce attribute.
But it appears that when loading theses pages, there are some CSP violations from some scripts that were added to render the "Status" tab in #25527, that have a different value than the one used for the script tags within the page.

The error log that is produced :

WARN  application - Content security policy violation: blocked inline in http://localhost:8080/rudder/secure/utilities/archiveManagement?continue because of script-src-elem directive

(notice that the violation is not enforced in dev mode which makes it not detectable unless we pay attention to error logs and console errors, because we have the Content-Security-Policy-Report-Only header, we should also enforce it by only using Content-Security-Policy and X-Content-Security-Policy headers)


Files

clipboard-202410211802-fhweb.png (63 KB) clipboard-202410211802-fhweb.png Clark ANDRIANASOLO, 2024-10-21 18:02
clipboard-202410211802-5uu5d.png (63 KB) clipboard-202410211802-5uu5d.png Clark ANDRIANASOLO, 2024-10-21 18:02
clipboard-202410211802-yz8zl.png (110 KB) clipboard-202410211802-yz8zl.png Clark ANDRIANASOLO, 2024-10-21 18:02

Related issues 3 (0 open3 closed)

Related to Rudder - Bug #25527: List techniques with compilation failure in bar for generation statusReleasedFrançois ARMANDActions
Related to Rudder - Bug #25032: Use Content-Security-Policy strict headers in utilities pagesReleasedFrançois ARMANDActions
Related to Rudder - Bug #25715: Avoid Content-Security-Policy-Report-Only headers in dev modeReleasedAlexis MoussetActions
Actions

Also available in: Atom PDF