Roundup Tracker - Issues

Message5961

Author rouilj
Recipients rouilj
Date 2017-04-23.02:41:51
Message-id <1492915313.13.0.822625079126.issue2550939@psf.upfronthosting.co.za>
In-reply-to
The current classhelp implementation uses inline javascript in the
onclick attributes or javascript in href via href="javascript:...".

This means that a content security policy (CSP) must include
unsafe-inline. Using unsafe-inline makes XSS attacks easier as code
added (inline or via script tag) by the XSS bad actor will be
executed.

The way to fix this is to load javascript code or add script tags that
are authorized using a nonce (nonce support added in roundup
1.6. Access using request/client/client_nonce in templates).

Within that nonce protected code/script call a function that binds
onclick attributes for the classhelp links.  Since the source of the
function is authorized, the added bindings are also authorized even
when the content security policy does not include unsafe-inline.

More references:

https://csp.withgoogle.com/docs/adopting-csp.html#adoption-workflow

http://www.html5rocks.com/en/tutorials/security/content-security-policy/
History
Date User Action Args
2017-04-23 02:41:53rouiljsetrecipients: + rouilj
2017-04-23 02:41:53rouiljsetmessageid: <1492915313.13.0.822625079126.issue2550939@psf.upfronthosting.co.za>
2017-04-23 02:41:52rouiljlinkissue2550939 messages
2017-04-23 02:41:51rouiljcreate