User story #27119
closed
User story #26934: Enable CSP on all pages and add tag to exclude a page
CSP headers for pages without scripts are always set with static nonce
Description
In parent issue, CSP headers are enabled on all pages (except specifically disabled ones), but they also add a script-src 'nonce-unknown-value' in every request, even API AJAX calls, images, css, etc.
But then the value unknown-value could be used in potential content that supports CSP (with content-type type/xml, or others).
We should set the headers to script-src 'none' for pages where we don't have script tagged with the request nonce value from the server.
This avoids the potential security issue with using the static value above in other CSP-compatible resources
Updated by Clark ANDRIANASOLO 12 days ago
- Status changed from New to In progress
Updated by Clark ANDRIANASOLO 12 days ago
- Status changed from In progress to Pending technical review
- Assignee changed from Clark ANDRIANASOLO to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/6527
Updated by Clark ANDRIANASOLO 12 days ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|15b639b2ab6b20738154d4f118c5e2b65d0ab483.
Updated by Alexis Mousset 6 days ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 9.0.0~alpha1 which was released today.