Content Security Policy support

Bug #1618024 reported by Taras
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Confirmed
Wishlist
Unassigned

Bug Description

There is a mechanism called Content Security Policy which web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources (https://www.w3.org/TR/CSP2/)

It will be great if OpenStack Dashboard will support it out of the box and enforce by default. In the most cases implement CSP support into web applicaton consist of following steps:

1. Review HTML code and try to remove all inline code (JS and CSS) and eval() usage
2. If you can't remove inline code you should use nonces/hashes
3. Prepare CSP policy and switch it on in Report-Only mode for some time
4. Fix all the bugs from the CSP log
5. Switch CSP into block mode

Additional information:
* https://www.w3.org/TR/CSP2/
* http://githubengineering.com/githubs-csp-journey/
* http://www.html5rocks.com/en/tutorials/security/content-security-policy/
* https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives

Tags: csp
Changed in horizon:
milestone: none → next
status: New → Confirmed
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.