Update csp #3919
Update csp #3919
Conversation
pYassine
force-pushed
the
update-csp
branch
from
8d5af31 to
33db351
Compare
pYassine
had a problem deploying
to
build-review
GitHub Actions
Error
pYassine
had a problem deploying
to
build-review
GitHub Actions
Error
pYassine
had a problem deploying
to
build-review
GitHub Actions
Error
pYassine
had a problem deploying
to
build-review
GitHub Actions
Error
|
There was a problem hiding this comment.
This PR weakens the Content Security Policy (CSP) by adding 'unsafe-inline' to the style-src directive across all three frontend applications. While this may be necessary for application functionality, it introduces potential XSS security risks that need careful consideration and should be accompanied by proper documentation and mitigation measures.
| ingress: | ||
| customHeaders: | ||
| "Content-Security-Policy": "default-src 'none'; manifest-src 'self' https://*.gouv.fr; connect-src 'self' https://*.gouv.fr https://api.tally.so https://*.tally.so; font-src 'self' https://fonts.gstatic.com https://tally.so https://*.tally.so; img-src 'self' https://tally.so https://*.tally.so data:; script-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; frame-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; style-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so" | ||
| "Content-Security-Policy": "default-src 'none'; manifest-src 'self' https://*.gouv.fr; connect-src 'self' https://*.gouv.fr https://api.tally.so https://*.tally.so; font-src 'self' https://fonts.gstatic.com https://tally.so https://*.tally.so; img-src 'self' https://tally.so https://*.tally.so data:; script-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; frame-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; style-src 'self' 'unsafe-inline' https://*.gouv.fr https://tally.so https://*.tally.so" |
There was a problem hiding this comment.
Adding 'unsafe-inline' to style-src weakens the CSP security posture by allowing inline styles, which can be exploited for XSS attacks. Consider:
- Document why this change is necessary
- Explore alternatives like using nonces or hashes for specific inline styles
- Ensure proper input sanitization for any user-generated content that could contain styles
- Consider if this can be scoped to specific style sources rather than allowing all inline styles
If this is required for a specific library or framework, document which one and consider more restrictive alternatives.
| ingress: | ||
| customHeaders: | ||
| "Content-Security-Policy": "default-src 'none'; manifest-src 'self' https://*.gouv.fr; connect-src 'self' https://*.gouv.fr; font-src 'self'; img-src 'self' data:; script-src 'self' https://*.gouv.fr; frame-src 'self' https://*.gouv.fr; style-src 'self' https://*.gouv.fr" | ||
| "Content-Security-Policy": "default-src 'none'; manifest-src 'self' https://*.gouv.fr; connect-src 'self' https://*.gouv.fr; font-src 'self'; img-src 'self' data:; script-src 'self' https://*.gouv.fr; frame-src 'self' https://*.gouv.fr; style-src 'self' 'unsafe-inline' https://*.gouv.fr" |
There was a problem hiding this comment.
Same security concern as the frontend service - 'unsafe-inline' in style-src creates potential XSS vulnerabilities. This is particularly concerning for the admin portal which likely handles sensitive administrative operations. Consider if this change is absolutely necessary for the admin interface and explore safer alternatives.
| ingress: | ||
| customHeaders: | ||
| "Content-Security-Policy": "default-src 'none'; manifest-src 'self' https://*.gouv.fr; connect-src 'self' https://*.gouv.fr https://api.tally.so https://*.tally.so; font-src 'self' https://fonts.gstatic.com https://tally.so https://*.tally.so; img-src 'self' https://tally.so https://*.tally.so data:; script-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; frame-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; style-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so" | ||
| "Content-Security-Policy": "default-src 'none'; manifest-src 'self' https://*.gouv.fr; connect-src 'self' https://*.gouv.fr https://api.tally.so https://*.tally.so; font-src 'self' https://fonts.gstatic.com https://tally.so https://*.tally.so; img-src 'self' https://tally.so https://*.tally.so data:; script-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; frame-src 'self' https://*.gouv.fr https://tally.so https://*.tally.so; style-src 'self' 'unsafe-inline' https://*.gouv.fr https://tally.so https://*.tally.so" |
There was a problem hiding this comment.
Adding 'unsafe-inline' to the user portal's CSP also introduces security risks. Since this portal likely handles user-generated content and personal data, the security implications are significant. Ensure this change is properly justified and documented, and consider implementing additional security measures to compensate for the weakened CSP.
|
🎉 This PR is included in version 2.221.4 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
pYassine
had a problem deploying
to
build-review
GitHub Actions
Error
pYassine
had a problem deploying
to
build-review
GitHub Actions
Error
pYassine
had a problem deploying
to
build-review
GitHub Actions
Error
pYassine
had a problem deploying
to
build-review
GitHub Actions
Error
No description provided.