Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-14139

Make default content security policy more strict

    XMLWordPrintable

Details

    Description

      Acceptance Criteria (Required on creation):

      • The script-src part of our default Content Security Policy defines the following values:
        • strict-dynamic
        • nonce-<value> with a randomly generated value when the index page is delivered
        • unsafe-eval (needed for webapp plugins and embedded forms)
      • script-src does not define the following values
        • unsafe-inline
      • default-src defines only the minimal additional content sources that we need to for other content types
      • The backend generates a secure random nonce, returns a new value with the CSP on every request to the index page, and inserts the nonce into any <script> tags that our HTML pages use (see https://content-security-policy.com/strict-dynamic/)
      • Any unnecessary use of inline scripts in our codebase is refactored into an external resource
      • Webapp plugins and embedded forms still work. It's still possible to include cam-script and regular script elements in the corresponding html files
      • Our CSP documentation mentions that unsafe-eval can be removed from the CSP if webapp plugins and embedded forms are not used

      Hints (optional):

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Issue Links

            is caused by

            Task - A task that needs to be done. CAM-14088 Qualify scanning results

            • L3 - Default - Minor issue or issue with existing workaround, feature requests and questions
            • Closed
            is related to

            Task - A task that needs to be done. CAM-14651 Update content security policy docs for maintenance releases

            • L3 - Default - Minor issue or issue with existing workaround, feature requests and questions
            • Closed

            Task - A task that needs to be done. CAM-14630 Remove unsafe-inline from content security policy style-src

            • L3 - Default - Minor issue or issue with existing workaround, feature requests and questions
            • Open
            links to

            Web Link https://github.com/camunda/camunda-bpm-platform/issues/2738

            Activity

              People

                hariharan.parasuraman Hariharan Parasuraman
                thorben.lindhauer Thorben Lindhauer
                Daniel Kelemen Daniel Kelemen
                Tassilo Weidner Tassilo Weidner
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Salesforce