Roundup Tracker - Issues

Issue 2550939

classification
Title: Refactor use of javascript in templates to support Content Security Policy (CSP)
Type: rfe Severity: normal
Components: Web interface Versions: devel
process
Status: new Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: rouilj
Priority: Keywords:

Created on 2017-04-23 02:41 by rouilj, last changed 2017-04-23 02:41 by rouilj.

Messages
msg5961 Author: [hidden] (rouilj) Date: 2017-04-23 02:41
The current classhelp implementation uses inline javascript in the
onclick attributes or javascript in href via href="javascript:...".

This means that a content security policy (CSP) must include
unsafe-inline. Using unsafe-inline makes XSS attacks easier as code
added (inline or via script tag) by the XSS bad actor will be
executed.

The way to fix this is to load javascript code or add script tags that
are authorized using a nonce (nonce support added in roundup
1.6. Access using request/client/client_nonce in templates).

Within that nonce protected code/script call a function that binds
onclick attributes for the classhelp links.  Since the source of the
function is authorized, the added bindings are also authorized even
when the content security policy does not include unsafe-inline.

More references:

https://csp.withgoogle.com/docs/adopting-csp.html#adoption-workflow

http://www.html5rocks.com/en/tutorials/security/content-security-policy/
History
Date User Action Args
2017-04-23 02:41:53rouiljcreate