OpenStack Dashboard (Horizon)

Content Security Policy support

Bug #1618024 reported by Taras on 2016-08-29

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Confirmed	Wishlist	Unassigned	OpenStack Dashboard (Horizon) next

Bug Description

There is a mechanism called Content Security Policy which web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources (https://www.w3.org/TR/CSP2/)

It will be great if OpenStack Dashboard will support it out of the box and enforce by default. In the most cases implement CSP support into web applicaton consist of following steps:

1. Review HTML code and try to remove all inline code (JS and CSS) and eval() usage
2. If you can't remove inline code you should use nonces/hashes
3. Prepare CSP policy and switch it on in Report-Only mode for some time
4. Fix all the bugs from the CSP log
5. Switch CSP into block mode

Additional information:
* https://www.w3.org/TR/CSP2/
* http://githubengineering.com/githubs-csp-journey/
* http://www.html5rocks.com/en/tutorials/security/content-security-policy/
* https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives

Tags:

Rob Cresswell (robcresswell-deactivatedaccount) on 2016-09-05

Changed in horizon:
milestone:	none → next
status:	New → Confirmed
importance:	Undecided → Wishlist

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.