request #17967 Deploy a useful content security policy

Infos

Artifact ID#17967

Submitted byThomas Gerbet (tgerbet)

Last Modified On2025-10-22 16:21

Submitted on2020-11-06 11:06

Rank19498

Details

Summary *

Deploy a useful content security policy

Original Submission

As of today, Tuleap sets a Content Security Policy [0] that has a very limited usefulness because it is very lax and in "allow all" mode by default. The CSP is an additional layer that could allow us to detect and mitigate XSS and other data injection/theft attacks.

The plan is as follows:
1. Move the current policy to a deny all mode by default but keeping it lax as it is today
2. Set a proper and strict policy but in a report only mode
3. Move this policy out of the report only mode

The steps 2 and 3 are likely to be quite challenging due to some of the elements Tuleap is using (e.g. CKEditor4) or even its own code. It's also likely that to properly apply those changes it's going to require some large refactoring in the way the HTTP requests are handled.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

CategoryOther

Reported in versionEmpty

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusUnder implementation

Close dateEmpty

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #17967

Artifact

request #18449 Avatar modification is not visible until the new avatar is saved

request #19179 Potential XSS when accessing a file stored in a SVN repository

Show items referenced by request #17967

Referenced by request #17967

Artifact

rel #16653 12.3

rel #18826 12.5

rel #44428 17.0

Other

Follow-ups

Manuel Vacelet (vaceletm)

2025-10-22 16:21

Connected artifacts
- Added: rel #44428

Nicolas Terray (nterray)

2022-08-19 12:05

gerrit #26577 integrated into Tuleap 13.12.99.19

Nicolas Terray (nterray)

2022-02-17 17:36

gerrit #25155 integrated into Tuleap 13.5.99.119

Nicolas Terray (nterray)

2022-02-15 17:57

gerrit #25129 integrated into Tuleap 13.5.99.85

Nicolas Terray (nterray)

2022-02-15 17:43

gerrit #25128 integrated into Tuleap 13.5.99.83

Nicolas Terray (nterray)

2022-02-15 14:58

gerrit #25106 integrated into Tuleap 13.5.99.77

Yannis ROSSETTO (rossettoy)

2022-02-05 09:54

gerrit #25028 integrated into Tuleap 13.5.99.11

Yannis ROSSETTO (rossettoy)

2022-01-20 15:00

gerrit #24897 integrated into Tuleap 13.4.99.107

Nicolas Terray (nterray)

2021-12-07 09:01

gerrit #24591 integrated into Tuleap 13.2.99.151

Nicolas Terray (nterray)

2021-12-01 17:25

gerrit #24565 integrated into Tuleap 13.2.99.131

Nicolas Terray (nterray)

2021-11-26 14:10

gerrit #24529 integrated into Tuleap 13.2.99.95

Nicolas Terray (nterray)

2021-11-23 08:41

gerrit #24512 integrated into Tuleap 13.2.99.66

Nicolas Terray (nterray)

2021-11-16 10:53

gerrit #24465 integrated into Tuleap 13.2.99.9

Marie Ange Garnier (marieange)

2021-08-17 10:39

gerrit #23710 integrated into Tuleap 12.11.99.203

Lorentz Romain (lorentzr)

2021-08-16 11:53

gerrit #23657 integrated to Tuleap 12.11.99.184

Benjamin Bouillot (ben.bouillot)

2021-05-18 16:37

gerrit #22746 integrated into Tuleap 12.8.99.159

Benjamin Bouillot (ben.bouillot)

2021-05-18 14:20

gerrit #22747 integrated into Tuleap 12.8.99.156

Benjamin Bouillot (ben.bouillot)

2021-05-17 15:56

gerrit #22737 integrated into Tuleap 12.8.99.148

Benjamin Bouillot (ben.bouillot)

2021-05-07 15:14

gerrit #22669 integrated into Tuleap 12.8.99.98

Lorentz Romain (lorentzr)

2021-05-05 13:47

gerrit #22622 integrated to Tuleap 12.8.99.71

Benjamin Bouillot (ben.bouillot)

2021-04-22 17:33

gerrit #22480 integrated into Tuleap 12.7.99.129

Joris MASSON (jmasson)

2021-04-14 10:40

gerrit #22419 integrated in its repository

Lorentz Romain (lorentzr)

2021-04-14 10:07

gerrit #22419 in review

Manuel Vacelet (vaceletm)

2021-04-12 10:14

gerrit #22400 integrated in Tuleap 12.7.99.55

Manuel Vacelet (vaceletm)

2021-04-02 14:46

gerrit #22165 integrated in Tuleap 12.7.99.26

Clarck Robinson (robinsoc)

2021-03-19 16:38

gerrit #22181 integrated into Tuleap 12.6.99.154.

Yannis ROSSETTO (rossettoy)

2021-03-19 15:18

gerrit #22173 integrated to Tuleap 12.6.99.149

Yannis ROSSETTO (rossettoy)

2021-03-18 18:07

gerrit #22179 integrated to Tuleap 12.6.99.145

Yannis ROSSETTO (rossettoy)

2021-03-18 17:00

gerrit #22169 integrated to external repository

Yannis ROSSETTO (rossettoy)

2021-03-18 16:57

gerrit #22168 integrated to Tuleap 12.6.99.143

Yannis ROSSETTO (rossettoy)

2021-03-18 14:50

gerrit #22170 integrated to external repository

Manuel Vacelet (vaceletm)

2021-01-26 10:51

gerrit #21521 (Add the browser user agent to the logged CSP violation reports) integrated in Tuleap 12.4.99.181

Connected artifacts
- Added Fixed in: rel #18826

Joris MASSON (jmasson)

2021-01-19 16:54

gerrit #21431 integrated in Tuleap 12.4.99.119

Lorentz Romain (lorentzr)

2021-01-19 09:14

gerrit #21351 integrated to Tuleap 12.4.99.102

Manuel Vacelet (vaceletm)

2020-12-10 10:22

Connected artifacts
- Added Fixed in: rel #16653

Joris MASSON (jmasson)

2020-12-07 15:46

gerrit #20979 (No element on the user registration confirmation page should be blocked by the Content-Security-Policy) integrated in Tuleap 12.2.99.179

Manuel Vacelet (vaceletm)

2020-12-07 10:27

gerrit #20981 (Users of Chrome/Chromium based browsers cannot authorize an OAuth2 app due to the Content-Security-Policy) integrated in Tuleap 12.2.99.172

Manuel Vacelet (vaceletm)

2020-11-30 09:14

gerrit #20902 (Mailman administration is not usable) integrated in Tuleap 12.2.99.106

Nicolas Terray (nterray)

2020-11-26 14:33

gerrit #20897 integrated into Tuleap 12.2.99.94

Lorentz Romain (lorentzr)

2020-11-25 12:20

gerrit #20880 integrated to Tuleap 12.2.99.82

Lorentz Romain (lorentzr)

2020-11-23 14:25

gerrit #20853 integrated into Tuleap 12.2.99.59