[jira] [Work logged] (AMQ-9697) Add Security Content Policy header to the Web Console

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/AMQ-9697?focusedWorklogId=970681&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-970681
 ]

ASF GitHub Bot logged work on AMQ-9697:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 26/May/25 09:25
            Start Date: 26/May/25 09:25
    Worklog Time Spent: 10m 
      Work Description: jbonofre commented on PR #1428:
URL: https://github.com/apache/activemq/pull/1428#issuecomment-2909048631

   At first glance it looks good to me. I'm doing a larger pass in details (and 
test).




Issue Time Tracking
-------------------

    Worklog Id:     (was: 970681)
    Time Spent: 20m  (was: 10m)

> Add Security Content Policy header to the Web Console
> -----------------------------------------------------
>
>                 Key: AMQ-9697
>                 URL: https://issues.apache.org/jira/browse/AMQ-9697
>             Project: ActiveMQ Classic
>          Issue Type: Improvement
>          Components: Web Console
>    Affects Versions: 6.0.0, 6.1.0, 6.1.2, 6.1.3, 6.1.4, 5.19.0, 6.1.5, 6.1.6, 
> 5.19.1
>            Reporter: Sérgio Lemos
>            Assignee: Jean-Baptiste Onofré
>            Priority: Minor
>             Fix For: 6.2.0, 5.19.1, 6.1.7, 5.18.8
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> I’d like to propose that we add a Content Security Policy (CSP) Header to the 
> Web Console page restricting to CSS and Javascript assets from the same 
> origin and blocking inline styles and scripts. We already did similar 
> improvements when we added other headers in 
> [https://github.com/apache/activemq/blame/main/assembly/src/release/conf/jetty.xml].
> I can see that the c:out tags used in the JSP pages already does sanitization 
> (at least my naive attempt to create a queue called 
> “<script>alert('hello');</script>” did not result in the code being 
> executed). The CSP header can provide another safety net. 
> I propose to add the following header configuration to jetty.xml:
> {code:java}
> <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
> <property name="pattern" value="*"/>
> <property name="name" value="Content-Security-Policy"/>
> <property name="value" value="upgrade-insecure-requests; style-src-elem 
> 'self'; style-src 'self'; img-src 'self'; script-src-elem 'self'; default-src 
> 'none'; object-src 'none'; frame-ancestors 'none'; base-uri 'none';" />
> </bean>{code}
> This change will also require to refactor all the JSP pages in the Web 
> Console to move all inline CSS and Javascript code to their respective .css 
> and .js files. Details on the CSP values can be found in 
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy].
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@activemq.apache.org
For additional commands, e-mail: issues-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact