request #22619 Deploy a resource isolation policy

Artifact

Infos

Artifact ID#22619

Submitted byThomas Gerbet (tgerbet)

Last Modified On2021-09-20 13:31

Submitted on2021-08-09 17:11

Rank24182

Details

Summary *

Deploy a resource isolation policy

Original Submission

The goal is to prevent external websites to access the resources served by a Tuleap instance. The only exception being the only resource that is supposed to be accessed cross-origin: the REST API.

This is a strong defense in depth against CSRF, cross-site script inclusion and more generally against cross site leaks.

Deploying such a policy is possible thanks to the fetch metadata headers that browsers send, see https://www.w3.org/TR/fetch-metadata/

CategoryOther

Reported in versionEmpty

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusUnder implementation

Close dateEmpty

Attachments

Connected artifacts

Artifact links

Empty

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #22619

Git commit

tuleap/tuleap/stable

Deploy a resource isolation policy 163e37dfdc

Thomas Gerbet (tgerbet) , 2021-09-20 11:50

Show items referenced by request #22619

Referenced by request #22619

Other

gerrit #23643

Follow-ups

Nicolas Terray (nterray)

2021-09-20 13:31

gerrit #23643 integrated into Tuleap 13.0.99.14

Thomas Gerbet (tgerbet)

2021-08-09 18:04

See first (and main) patch: gerrit #23643.

Public