Opened at 2013-12-15T11:43:29Z
Last modified at 2014-07-29T21:57:24Z
#2136 new defect
Use Content-Security-Policy to harden the WUI — at Version 1
| Reported by: | freddyb | Owned by: | daira |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.10.0 |
| Keywords: | csp wui security xss javascript | Cc: | |
| Launchpad Bug: |
Description (last modified by daira)
I have audited the WUI and the current use of JavaScript would make it very easy to adapt content-security-policy as a defense-in-depth mechanism against XSS and other content-injection attacks against the WUI.
AFAIU one would only have to whitelist a few script files for the download-status-timeline. Everything else could easily work with "no scripts allowed".
A more moderate approach could be "only allow same-origin resources", which could be patched into the WUI similarly to what my X-Frame-Options patch does. See ticket #1455.
Change History (1)
comment:1 Changed at 2013-12-15T15:15:10Z by daira
- Component changed from unknown to code-frontend-web
- Description modified (diff)
- Keywords csp wui security xss javascript added
Note: See
TracTickets for help on using
tickets.
