[jira] [Resolved] (AMQ-9697) Add Security Content Policy header to the Web Console

Thu, 29 May 2025 21:48:31 -0700 


     [ 
https://issues.apache.org/jira/browse/AMQ-9697?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jean-Baptiste Onofré resolved AMQ-9697.
---------------------------------------
    Resolution: Fixed

> Add Security Content Policy header to the Web Console
> -----------------------------------------------------
>
>                 Key: AMQ-9697
>                 URL: https://issues.apache.org/jira/browse/AMQ-9697
>             Project: ActiveMQ Classic
>          Issue Type: Improvement
>          Components: Web Console
>    Affects Versions: 6.0.0, 6.1.0, 6.1.2, 6.1.3, 6.1.4, 5.19.0, 6.1.5, 6.1.6, 
> 5.19.1
>            Reporter: Sérgio Lemos
>            Assignee: Jean-Baptiste Onofré
>            Priority: Minor
>             Fix For: 6.2.0, 5.19.1, 6.1.7, 5.18.8
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> I’d like to propose that we add a Content Security Policy (CSP) Header to the 
> Web Console page restricting to CSS and Javascript assets from the same 
> origin and blocking inline styles and scripts. We already did similar 
> improvements when we added other headers in 
> [https://github.com/apache/activemq/blame/main/assembly/src/release/conf/jetty.xml].
> I can see that the c:out tags used in the JSP pages already does sanitization 
> (at least my naive attempt to create a queue called 
> “<script>alert('hello');</script>” did not result in the code being 
> executed). The CSP header can provide another safety net. 
> I propose to add the following header configuration to jetty.xml:
> {code:java}
> <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
> <property name="pattern" value="*"/>
> <property name="name" value="Content-Security-Policy"/>
> <property name="value" value="upgrade-insecure-requests; style-src-elem 
> 'self'; style-src 'self'; img-src 'self'; script-src-elem 'self'; default-src 
> 'none'; object-src 'none'; frame-ancestors 'none'; base-uri 'none';" />
> </bean>{code}
> This change will also require to refactor all the JSP pages in the Web 
> Console to move all inline CSS and Javascript code to their respective .css 
> and .js files. Details on the CSP values can be found in 
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy].
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact

Reply via email to