yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1618024] [NEW] Content Security Policy support

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Taras <1618024@xxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Aug 2016 13:17:41 -0000
Reply-to: Bug 1618024 <1618024@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

There is a mechanism called Content Security Policy which web
applications can use to mitigate a broad class of content injection
vulnerabilities, such as cross-site scripting (XSS). Content Security
Policy is a declarative policy that lets the authors (or server
administrators) of a web application inform the client about the sources
from which the application expects to load resources
(https://www.w3.org/TR/CSP2/)

It will be great if OpenStack Dashboard will support it out of the box
and enforce by default. In the most cases implement CSP support into web
applicaton consist of following steps:

1. Review HTML code and try to remove all inline code (JS and CSS) and eval() usage
2. If you can't remove inline code you should use nonces/hashes
3. Prepare CSP policy and switch it on in Report-Only mode for some time
4. Fix all the bugs from the CSP log
5. Switch CSP into block mode

Additional information:
* https://www.w3.org/TR/CSP2/
* http://githubengineering.com/githubs-csp-journey/
* http://www.html5rocks.com/en/tutorials/security/content-security-policy/
* https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives

** Affects: horizon
     Importance: Undecided
         Status: New


** Tags: csp

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1618024

Title:
  Content Security Policy support

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  There is a mechanism called Content Security Policy which web
  applications can use to mitigate a broad class of content injection
  vulnerabilities, such as cross-site scripting (XSS). Content Security
  Policy is a declarative policy that lets the authors (or server
  administrators) of a web application inform the client about the
  sources from which the application expects to load resources
  (https://www.w3.org/TR/CSP2/)

  It will be great if OpenStack Dashboard will support it out of the box
  and enforce by default. In the most cases implement CSP support into
  web applicaton consist of following steps:

  1. Review HTML code and try to remove all inline code (JS and CSS) and eval() usage
  2. If you can't remove inline code you should use nonces/hashes
  3. Prepare CSP policy and switch it on in Report-Only mode for some time
  4. Fix all the bugs from the CSP log
  5. Switch CSP into block mode

  Additional information:
  * https://www.w3.org/TR/CSP2/
  * http://githubengineering.com/githubs-csp-journey/
  * http://www.html5rocks.com/en/tutorials/security/content-security-policy/
  * https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1618024/+subscriptions