Project

General

Profile

Actions

Feature #29405

open

Support header Content Security Policy

Added by Ludovic Andrieux about 5 years ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

Hi,

According Google, this a basic Content Security Policy.

Content-Security-Policy: default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'

Redmine crash with it because there is some call to eval in javascript in some pages.

Regards,
Ludovic


Files

2018-08-18_142722.png (76.2 KB) 2018-08-18_142722.png Ludovic Andrieux, 2018-08-18 14:30
clipboard-202307031747-pojyg.png (62.8 KB) clipboard-202307031747-pojyg.png Popa Marius, 2023-07-03 16:47
clipboard-202307031749-tbv3n.png (14.8 KB) clipboard-202307031749-tbv3n.png Popa Marius, 2023-07-03 16:48
clipboard-202307051048-oevyb.png (30.5 KB) clipboard-202307051048-oevyb.png Popa Marius, 2023-07-05 09:48
Actions #1

Updated by cam lafit over 4 years ago

Hello

A workaround is to enable all via a config/initializers/csp.rb


Rails.application.config.content_security_policy do |policy|
  policy.default_src "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 
  policy.font_src    "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 
  policy.img_src     "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 
  policy.object_src  "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 
  policy.script_src  "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 
  policy.style_src   "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 

  # Specify URI for violation reports
  # policy.report_uri "/csp-violation-report-endpoint" 
end

#Rails.application.config.content_security_policy_report_only = true

Actions #2

Updated by Popa Marius 3 months ago

Any news on this patch ?

Actions #7

Updated by Popa Marius 3 months ago

Actions #8

Updated by Popa Marius 3 months ago

we need :unsafe_inline otherwise

Actions #9

Updated by Popa Marius 2 months ago

define policy.frame_ancestors :none https://content-security-policy.com/frame-ancestors/

Actions #10

Updated by Jérôme Gallot about 2 months ago

+1 for the feature.

:unsafe_inline must not be used, not secured so there's a lot to do in order to make redmine works like a charm with CSP and i don't speak of plugins ...

Interesting subject, a bit tricky

Actions

Also available in: Atom PDF