Project

General

Profile

Actions

User story #27119

closed

User story #26934: Enable CSP on all pages and add tag to exclude a page

CSP headers for pages without scripts are always set with static nonce

Added by Clark ANDRIANASOLO about 1 month ago. Updated 6 days ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
UX impact:
Suggestion strength:
Require - I need this to use Rudder as I intend
User visibility:
First impressions of Rudder
Effort required:
Very Small
Name check:
To do
Fix check:
To do
Regression:
No

Description

In parent issue, CSP headers are enabled on all pages (except specifically disabled ones), but they also add a script-src 'nonce-unknown-value' in every request, even API AJAX calls, images, css, etc.
But then the value unknown-value could be used in potential content that supports CSP (with content-type type/xml, or others).

We should set the headers to script-src 'none' for pages where we don't have script tagged with the request nonce value from the server.
This avoids the potential security issue with using the static value above in other CSP-compatible resources

Actions #1

Updated by Clark ANDRIANASOLO 12 days ago

  • Status changed from New to In progress
Actions #2

Updated by Clark ANDRIANASOLO 12 days ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Clark ANDRIANASOLO to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/6527
Actions #3

Updated by Clark ANDRIANASOLO 12 days ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by Alexis Mousset 6 days ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 9.0.0~alpha1 which was released today.

Actions

Also available in: Atom PDF