[Geoserver-devel] [JIRA] (GEOS-10653) Compatibility of Geoserver management interface with strict and secure CSP-headers

Wim DGGroep (JIRA) Thu, 15 Sep 2022 07:20:22 -0700

Wim DGGroep ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=63232eae55a96b85c3127326
 ) *created* an issue


GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiZTI2NDU2NzVhMzk4NDVlNDg3NDk1MWY1NjI1YTM4OTIiLCJwIjoiaiJ9
 ) / Improvement ( 
https://osgeo-org.atlassian.net/browse/GEOS-10653?atlOrigin=eyJpIjoiZTI2NDU2NzVhMzk4NDVlNDg3NDk1MWY1NjI1YTM4OTIiLCJwIjoiaiJ9
 ) GEOS-10653 ( 
https://osgeo-org.atlassian.net/browse/GEOS-10653?atlOrigin=eyJpIjoiZTI2NDU2NzVhMzk4NDVlNDg3NDk1MWY1NjI1YTM4OTIiLCJwIjoiaiJ9
 ) Compatibility of Geoserver management interface with strict and secure 
CSP-headers ( 
https://osgeo-org.atlassian.net/browse/GEOS-10653?atlOrigin=eyJpIjoiZTI2NDU2NzVhMzk4NDVlNDg3NDk1MWY1NjI1YTM4OTIiLCJwIjoiaiJ9
 )

Issue Type: Improvement Affects Versions: 2.20.4 Assignee: Unassigned 
Components: Security Created: 15/Sep/22 4:19 PM Environment:

Windows server, Tomcat application platform.

Priority: Medium Reporter: Wim DGGroep ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=63232eae55a96b85c3127326
 )

Our organization's security policy requires the setting of Content Security 
Policy (CSP)-headers in Tomcat. The Geoserver management interface however is 
not compatible with strict and save CSP-headers. In order for the geoserver 
management interface to be able to function the following CSP-headers must be 
set:

{{default-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
connect-src 'self';
img-src 'self' data:;
style-src 'self' 'unsafe-inline';
base-uri 'self';
form-action 'self';
frame-ancestors 'self';
block-all-mixed-content;
frame-src 'self'}}

The unsafe headers are the ones related to the script-src, Unsafe-inline and 
Unsafe-eval are necessary, otherwise the Geoserver-management interface stops 
functioning on certain aspects (like, for example: adding a new SQL-view).

The unsafe headers alas weaken the website's protection against cross-site 
scripting attacks.

( 
https://osgeo-org.atlassian.net/browse/GEOS-10653#add-comment?atlOrigin=eyJpIjoiZTI2NDU2NzVhMzk4NDVlNDg3NDk1MWY1NjI1YTM4OTIiLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-10653#add-comment?atlOrigin=eyJpIjoiZTI2NDU2NzVhMzk4NDVlNDg3NDk1MWY1NjI1YTM4OTIiLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100207- 
sha1:4ec4822 )

_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

[Geoserver-devel] [JIRA] (GEOS-10653) Compatibility of Geoserver management interface with strict and secure CSP-headers

Reply via email to