[
https://issues.apache.org/jira/browse/AMQ-9697?focusedWorklogId=969274&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-969274
]
ASF GitHub Bot logged work on AMQ-9697:
---------------------------------------
Author: ASF GitHub Bot
Created on: 12/May/25 04:12
Start Date: 12/May/25 04:12
Worklog Time Spent: 10m
Work Description: sergio-d-lemos opened a new pull request, #1428:
URL: https://github.com/apache/activemq/pull/1428
[AMQ-9697]: Moves inline CSS and Javascript scripts for dedicated files in
the Web Console. The changes allow to enable the Content Security Policy header
in jetty.xml such as inline scripts are blocked, offering another layer of
protection agains script injections.
Issue Time Tracking
-------------------
Worklog Id: (was: 969274)
Remaining Estimate: 0h
Time Spent: 10m
> Add Security Content Policy header to the Web Console
> -----------------------------------------------------
>
> Key: AMQ-9697
> URL: https://issues.apache.org/jira/browse/AMQ-9697
> Project: ActiveMQ Classic
> Issue Type: Improvement
> Components: Web Console
> Affects Versions: 6.0.0, 6.1.0, 6.1.2, 6.1.3, 6.1.4, 5.19.0, 6.1.5, 6.1.6,
> 5.19.1
> Reporter: Sérgio Lemos
> Assignee: Jean-Baptiste Onofré
> Priority: Minor
> Fix For: 6.x
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> I’d like to propose that we add a Content Security Policy (CSP) Header to the
> Web Console page restricting to CSS and Javascript assets from the same
> origin and blocking inline styles and scripts. We already did similar
> improvements when we added other headers in
> [https://github.com/apache/activemq/blame/main/assembly/src/release/conf/jetty.xml].
> I can see that the c:out tags used in the JSP pages already does sanitization
> (at least my naive attempt to create a queue called
> “<script>alert('hello');</script>” did not result in the code being
> executed). The CSP header can provide another safety net.
> I propose to add the following header configuration to jetty.xml:
> {code:java}
> <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
> <property name="pattern" value="*"/>
> <property name="name" value="Content-Security-Policy"/>
> <property name="value" value="upgrade-insecure-requests; style-src-elem
> 'self'; style-src 'self'; img-src 'self'; script-src-elem 'self'; default-src
> 'none'; object-src 'none'; frame-ancestors 'none'; base-uri 'none';" />
> </bean>{code}
> This change will also require to refactor all the JSP pages in the Web
> Console to move all inline CSS and Javascript code to their respective .css
> and .js files. Details on the CSP values can be found in
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy].
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
