The goal is to prevent external websites to access the resources served by a Tuleap instance. This is a strong defense in depth against CSRF, cross-site script inclusion and more generally against cross site leaks [0]. Of course, the REST API is supposed to be callable cross origin so it is excluded for the policy. Images are also excluded from the policy: some of the static assets cand be needed cross origin and it is likely we break some existing use cases with it. It is preferable we start without them for now and add a log in another contribution to detect images that would have been broken with an enforced resource isolation policy on images. The choice has been made to enforce the policy as soon as possible (i.e. at the nginx level) to be sure we do not end up leaking information by mistake. This sort of policy is only possible for browsers sending Fetch Metadata headers (Chrome 76+, Firefox 90+) so this can only be considered as an added layer of protection, Tuleap still support browsers older than that. To test, you need to redeploy nginx configuration. Nothing is supposed to be broken for standard use cases. Loading resources (e.g. one of the script) from another site should now be blocked. If this change ends up being problematic on some production servers, a quick fix can be to drop the configuration file and restart/reload the nginx service. Part of request #22619: Deploy a resource isolation policy [0] https://w3c.github.io/webappsec-post-spectre-webdev/ Change-Id: I01e76edc104691c1dd0d6c2311d10eead689e474

+119 −3

Author

Thomas Gerbet (tgerbet) 2021-08-09 17:42

Committer

Thomas Gerbet (tgerbet) 2021-09-20 11:50

Hash 163e37dfdc386081df99992c3f0402352b9b805f

Parent 46ff237f5ce6bd5722e12e3516acaf982272731d

Reference git #tuleap/stable/163e37dfdc386081df99992c3f0402352b9b805f