Opened at 2013-12-15T11:43:29Z
Last modified at 2014-07-29T21:57:24Z
#2136 new defect
Use Content-Security-Policy to harden the WUI — at Initial Version
| Reported by: | freddyb | Owned by: | daira |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.10.0 |
| Keywords: | csp wui security xss javascript | Cc: | |
| Launchpad Bug: |
Description
I have audited the WUI and the current use of JavaScript would make it very easy to adapt content-security-policy as a defense-in-depth mechanism against XSS and other content-injection attacks against the WUI.
AFAIU one would only have to whitelist a few script files for the download-status-timeline. Everything else could easily work with "no scripts allowed".
A more moderate approach could be "only allow same-origin resources", which could be patched into the WUI similarly to what my X-Frame-Options patch does. See ticket 1455.
Note: See
TracTickets for help on using
tickets.
