Add Content-Security-Policy to OSIN pages #17021
Comments
|
@jwforres we need to consider if we can use the same option for all of Openshift, or if each part will want to use their own settings. |
Note that this could be dangerous if our code (or one of the dependencies) are using inline styles, inline JavaScript code, Perhaps, we could start with directive but use |
|
Our own oauth pages don't have much to them and can probably be made to work with CSP OOTB. Some testing will def be required. It is possible we could break a customer's customized templates so we would need to let them turn it off completely if necessary as part of the config. The console is a different story entirely which is why we haven't tackled it. We are fairly certain there are dependency libraries we use that apply inline styles / JS. |
|
I see inline styles in OSIN too due to branding, whichis why we are not rushing with this and will need to do it later. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci-robot
added
the
lifecycle/stale
|
@simo5 I would suggest tracking this in Trello given the scope, and closing the issue. There is already a card on the UI side tracking CSP |
|
Done, thanks @jwforres |
To tighten access to OSIN pages, which deal delicate authorization operations we should probably add a default Content-Security-Policy[1] of: default-src 'self'.
Hoever this will require also to add options to let customers change it as page branding may require them to tweak the CSP so that some images of other assets can be served from a different location than "self".
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
The text was updated successfully, but these errors were encountered: