-
New Feature
-
Resolution: Won't Do
-
Normal
-
8.5.0
-
Security Level: Jimmy
-
None
The attached example demonstrates which CSP errors reported in the browser console.
(when the header: "Content-Security-Policy" is used the browser will stop the page execution on the first error). Using the report-only mode allows convenient discovery of recurring policy violations.
<?header name="Content-Security-Policy-Report-Only" value=" default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'"?> <zk> <div> Your Name: <textbox id="name" onOK='response.setValue("Hi, " + self.getValue());'/> <button label="Send" onClick='response.setValue("Hi, " + name.getValue());'/> <separator/> <label id="response"/> <separator/> <button label="Upload" upload="true" onUpload="Clients.showNotification(event.getMedia().getName());"/> <button label="Download" onClick='Filedownload.save("content", "text/plain", "test.txt");'/> </div> </zk>
The example uses the Starter Policy . Resulting in reported violations.
To avoid all those errors the policies would need to be loosened like that:
default-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
frame-src 'self';
connect-src 'self' ws://your.server.name:8080/;
img-src 'self';
style-src 'self' 'unsafe-inline';
font-src 'self'
The websocket exception is optional and might not be necessessary for HTTPS/WSS connections (to be tested)
Attached a custom PageRenderer and AuExtension which allows removing the script-src 'unsafe-inline' policy.
iframe-src is currently needed for upload and download
style-src is triggered mostly by setting the innerHTML property of a dom node (a performance/security trade-off could be to parse html before adding it to the DOM)
script-src 'unsafe-eval' is the most tricky part triggered by almost any AU response when evaluating the returned JSON like JS object,
other places might be addressed in a simpler way
- relates to
-
ZK-5265 Add a CSP provider class, which allows the users to define CSPs and provide a nonce used for strict-dynamic support
- Closed
-
ZKCHARTS-66 improve CSP header support
- Closed