Public bug reported: There is a mechanism called Content Security Policy which web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources (https://www.w3.org/TR/CSP2/)
It will be great if OpenStack Dashboard will support it out of the box and enforce by default. In the most cases implement CSP support into web applicaton consist of following steps: 1. Review HTML code and try to remove all inline code (JS and CSS) and eval() usage 2. If you can't remove inline code you should use nonces/hashes 3. Prepare CSP policy and switch it on in Report-Only mode for some time 4. Fix all the bugs from the CSP log 5. Switch CSP into block mode Additional information: * https://www.w3.org/TR/CSP2/ * http://githubengineering.com/githubs-csp-journey/ * http://www.html5rocks.com/en/tutorials/security/content-security-policy/ * https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives ** Affects: horizon Importance: Undecided Status: New ** Tags: csp -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1618024 Title: Content Security Policy support Status in OpenStack Dashboard (Horizon): New Bug description: There is a mechanism called Content Security Policy which web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources (https://www.w3.org/TR/CSP2/) It will be great if OpenStack Dashboard will support it out of the box and enforce by default. In the most cases implement CSP support into web applicaton consist of following steps: 1. Review HTML code and try to remove all inline code (JS and CSS) and eval() usage 2. If you can't remove inline code you should use nonces/hashes 3. Prepare CSP policy and switch it on in Report-Only mode for some time 4. Fix all the bugs from the CSP log 5. Switch CSP into block mode Additional information: * https://www.w3.org/TR/CSP2/ * http://githubengineering.com/githubs-csp-journey/ * http://www.html5rocks.com/en/tutorials/security/content-security-policy/ * https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1618024/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
