Content Security Policy support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
There is a mechanism called Content Security Policy which web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources (https:/
It will be great if OpenStack Dashboard will support it out of the box and enforce by default. In the most cases implement CSP support into web applicaton consist of following steps:
1. Review HTML code and try to remove all inline code (JS and CSS) and eval() usage
2. If you can't remove inline code you should use nonces/hashes
3. Prepare CSP policy and switch it on in Report-Only mode for some time
4. Fix all the bugs from the CSP log
5. Switch CSP into block mode
Additional information:
* https:/
* http://
* http://
* https:/
Changed in horizon: | |
milestone: | none → next |
status: | New → Confirmed |
importance: | Undecided → Wishlist |