Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-3813

improve CSP header support

    XMLWordPrintable

    Details

      Description

      The attached example demonstrates which CSP errors reported in the browser console.
      (when the header: "Content-Security-Policy" is used the browser will stop the page execution on the first error). Using the report-only mode allows convenient discovery of recurring policy violations.

      <?header name="Content-Security-Policy-Report-Only"
      		value="
      		default-src 'none';
      		script-src 'self';
      		connect-src 'self';
      		img-src 'self';
      		style-src 'self';
      		font-src 'self'"?>
      <zk>
      	<div>
      		Your Name: <textbox id="name" onOK='response.setValue("Hi, " + self.getValue());'/>
      		<button label="Send" onClick='response.setValue("Hi, " + name.getValue());'/>
      		<separator/>
      		<label id="response"/>
      		<separator/>
      		<button label="Upload" upload="true" onUpload="Clients.showNotification(event.getMedia().getName());"/>
      		<button label="Download" onClick='Filedownload.save("content", "text/plain", "test.txt");'/>
      	</div>
      </zk>
      

      The example uses the Starter Policy . Resulting in reported violations.

      To avoid all those errors the policies would need to be loosened like that:

      default-src 'none';
      script-src 'self' 'unsafe-inline' 'unsafe-eval';
      frame-src 'self';
      connect-src 'self' ws://your.server.name:8080/;
      img-src 'self';
      style-src 'self' 'unsafe-inline';
      font-src 'self'

      The websocket exception is optional and might not be necessessary for HTTPS/WSS connections (to be tested)

      Attached a custom PageRenderer and AuExtension which allows removing the script-src 'unsafe-inline' policy.

      iframe-src is currently needed for upload and download

      style-src is triggered mostly by setting the innerHTML property of a dom node (a performance/security trade-off could be to parse html before adding it to the DOM)

      script-src 'unsafe-eval' is the most tricky part triggered by almost any AU response when evaluating the returned JSON like JS object,
      other places might be addressed in a simpler way

        Attachments

        1. AuCsp.java
          2 kB
        2. config.xml
          0.2 kB
        3. CspPageRenderer.java
          2 kB

          Issue Links

            Activity

              People

              Assignee:
              DevChu DevChu
              Reporter:
              cor3000 cor3000
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 5 hours
                  1d 5h