Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #17967 Deploy a useful content security policy
    Actions
    Infos
    #17967
    Thomas Gerbet (tgerbet)
    2022-08-19 12:05
    2020-11-06 11:06
    19491
    Details
    Deploy a useful content security policy
    As of today, Tuleap sets a Content Security Policy [0] that has a very limited usefulness because it is very lax and in "allow all" mode by default. The CSP is an additional layer that could allow us to detect and mitigate XSS and other data injection/theft attacks.


    The plan is as follows:
    1. Move the current policy to a deny all mode by default but keeping it lax as it is today
    2. Set a proper and strict policy but in a report only mode
    3. Move this policy out of the report only mode


    The steps 2 and 3 are likely to be quite challenging due to some of the elements Tuleap is using (e.g. CKEditor4) or even its own code. It's also likely that to properly apply those changes it's going to require some large refactoring in the way the HTTP requests are handled.



    [0] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    Other
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Under implementation
    Empty
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #16653 Tuleap Releases 12.3 Delivered 2020-10-12 09:59 Manuel Vacelet (vaceletm)
    rel #18826 Tuleap Releases 12.5 Delivered 2021-10-02 17:12 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #17967

    Artifact Tracker v5

    request #18449 Avatar modification is not visible until the new avatar is saved
    request #19179 Potential XSS when accessing a file stored in a SVN repository

    Git commit

    tuleap/tuleap/stable

    Set a deny-all Content-Security-Policy header when none is set b767bc5c12
    User avatar Thomas Gerbet (tgerbet) , 2020-11-09 20:21
    Transform the existing lax Content-Security-Policy set on HTML pages to a deny-all default 9b050436cc
    User avatar Thomas Gerbet (tgerbet) , 2020-11-18 08:45
    Collect Content-Security-Violation violation reports f8d03b1090
    User avatar Thomas Gerbet (tgerbet) , 2020-11-19 09:43
    Report violation of the default Content-Security-Policy 09793d1cd9
    User avatar Thomas Gerbet (tgerbet) , 2020-11-20 13:35
    Move Content-Security-Policy violation reports to the info level fe05cc8365
    User avatar Thomas Gerbet (tgerbet) , 2020-11-24 16:00
    Fix Content-Security-Policy issue in docman pages 0a038a51da
    User avatar Thomas Gerbet (tgerbet) , 2020-11-26 11:01
    Mailman administration is not usable 1408c1058e
    User avatar Thomas Gerbet (tgerbet) , 2020-11-27 17:32
    Users of Chrome/Chromium based browsers cannot authorize an OAuth2 app due to the Content-Security-Policy 806218e71c
    User avatar Thomas Gerbet (tgerbet) , 2020-12-03 21:03
    No element on the user registration confirmation page should be blocked by the Content-Security-Policy 487b79b994
    User avatar Thomas Gerbet (tgerbet) , 2020-12-07 15:18
    Add the sandbox directive on the default deny-all Content-Security-Policy c39b1b73b3
    User avatar Thomas Gerbet (tgerbet) , 2021-01-13 14:45
    Ask for a sample when reporting a content security policy violation 71da00ba97
    User avatar Thomas Gerbet (tgerbet) , 2021-01-18 22:41
    Add the browser user agent to the logged CSP violation reports 8863025144
    User avatar Thomas Gerbet (tgerbet) , 2021-01-22 14:00
    Remove IncludeAssets::getHTMLSnippet() 2d4382c3c3
    User avatar Thomas Gerbet (tgerbet) , 2021-03-18 14:21
    JS error on the FP pages of the Git, SVN and OIDC plugins 4449c729f6
    User avatar Thomas Gerbet (tgerbet) , 2021-03-18 17:39
    Chrome complains about an invalid source in the default-src directive of the Content Security Policies 0adbdda619
    User avatar Thomas Gerbet (tgerbet) , 2021-03-18 15:28
    JS issues when creating/updating a release ac9b9112f5
    User avatar Thomas Gerbet (tgerbet) , 2021-03-19 08:01
    Harden Content-Security-Policy of the embedded documentation be17863770
    User avatar Thomas Gerbet (tgerbet) , 2021-03-18 12:30
    Add a nonce to script added via the global/main API 7dea175342
    User avatar Thomas Gerbet (tgerbet) , 2021-04-09 16:18
    Captcha plugin loads its scripts with a nonce 6efefdc0af
    User avatar Thomas Gerbet (tgerbet) , 2021-04-22 09:59
    All scripts of the user registration are loaded with a nonce abb304f897
    User avatar Thomas Gerbet (tgerbet) , 2021-05-05 10:59
    Remove unused Tracker_FormElement_Field_List_Bind::fetchDecoratorsAsJavascript dd54814c62
    User avatar Thomas Gerbet (tgerbet) , 2021-05-07 10:51
    All script tags in the tracker plugin have a nonce attribute 68b8d4df2c
    User avatar Thomas Gerbet (tgerbet) , 2021-05-14 17:51
    All script tags of the project links plugin have a nonce attribute 33c1436159
    User avatar Thomas Gerbet (tgerbet) , 2021-05-18 12:14
    All script tags in the FRS service have a nonce attribute f5c3399814
    User avatar Thomas Gerbet (tgerbet) , 2021-05-18 12:05
    Remove javascript:help_window handler 87253ba050
    User avatar Thomas Gerbet (tgerbet) , 2021-08-10 14:24
    Opening a document inside the docman plugin should not always open a new window daef4b352f
    User avatar Thomas Gerbet (tgerbet) , 2021-08-17 10:05
    Remove usage of javascript: URIs on the installed plugin page 6487bd89cc
    User avatar Thomas Gerbet (tgerbet) , 2021-11-12 16:31
    Remove usage of javascript: URIs in the FRS plugin app 7456537dce
    User avatar Thomas Gerbet (tgerbet) , 2021-11-19 15:33
    Remove usage of javascript: URIs in the Git plugin 95367f599c
    User avatar Thomas Gerbet (tgerbet) , 2021-11-23 10:36
    Remove usage of the javascript: URI in the project contact widget 2cee4ebcaa
    User avatar Thomas Gerbet (tgerbet) , 2021-11-29 15:52
    Remove usage of javascript: URIs in tracker colorpickers and workflow administration 1a3637b8cc
    User avatar Thomas Gerbet (tgerbet) , 2021-12-02 10:43
    Remove usage of the javascript: URI in the hudson_git plugin e5e261a4c0
    User avatar Thomas Gerbet (tgerbet) , 2022-01-19 10:58
    Remove usage of javascript: URIs in the SVN plugin e025af68df
    User avatar Thomas Gerbet (tgerbet) , 2022-02-01 11:01
    Remove usage of javascript: URIs in the tracker plugin f7d63cd63e
    User avatar Thomas Gerbet (tgerbet) , 2022-02-08 14:13
    Remove usage of javascript: URI on the "Add dashboard" button efe20d420c
    User avatar Thomas Gerbet (tgerbet) , 2022-02-15 11:28
    Remove usage of javascript: URI on the site administration project template pages 14897f69f5
    User avatar Thomas Gerbet (tgerbet) , 2022-02-15 15:15
    Remove usages of javascript: URIs on the PaginationPresenter 0eb047c9fe
    User avatar Thomas Gerbet (tgerbet) , 2022-02-15 15:20
    Remove usage of javascript: URIs in the Document plugin 626e7b8f4e
    User avatar Thomas Gerbet (tgerbet) , 2022-02-16 17:09
    Drop onClick handler abuse made by Prototype.js in order to support IE and old Opera browsers fa89d15f83
    User avatar Thomas Gerbet (tgerbet) , 2022-08-19 09:29
    Remove IncludeAssets::getHTMLSnippet() ad4076d5ae
    User avatar Thomas Gerbet (tgerbet) , 2021-03-18 13:51
    Remove IncludeAssets::getHTMLSnippet() 91f9dd2803
    User avatar Thomas Gerbet (tgerbet) , 2021-03-18 13:53
    Display settings

    Follow-ups

    User avatar
    Joris MASSON (jmasson)2020-12-07 15:46
    gerrit #20979 (No element on the user registration confirmation page should be blocked by the Content-Security-Policy) integrated in Tuleap 12.2.99.179
    User avatar
    Manuel Vacelet (vaceletm)2020-12-07 10:27

    gerrit #20981 (Users of Chrome/Chromium based browsers cannot authorize an OAuth2 app due to the Content-Security-Policy) integrated in Tuleap 12.2.99.172