Univention Bugzilla – Bug 45423
No Content-Security-Policy for Portal and Server overview
Last modified: 2018-05-02 13:31:17 CEST
/univention/portal and /univention/server-overview/ doesn't send any Content-Security-Policy response header. This makes these sites more prone to browser vulnerabilities (e.g. XSRF, XSS, ...). As these sites also interact with the UMC-Server and have access to the Session-ID cookie we should add the header there, too.
Possible patch: https://git.knut.univention.de/univention/ucs/tree/jkeiser/bug_45423__content_security_policy
The patch removes univention.conf in prerm.
I think we need also "img-src data: *;" if we want to display specific images (e.g. if portal entries can set an external image location).
I think we also need frame-src *; connect-src 'self' https://ucs-sso.dev.local/ http://ucs-sso.dev.local/; frame-ancestors 'self' https://ucs-sso.dev.local/ http://ucs-sso.dev.local/;" for supporting passive single sign on renewal in the background if one is logged in.
And maybe we need "media-src *;" as well.
a7e3534 Bug #45423: Add Content-Security-Policy to portal and server-overview
95e1191 Bug #45423: Debian changelog
5d4b74c Bug #45423: YAML
ef03293 Bug #45423: Merge branch 'jkeiser/45423_add_csp_portal_server_overview' into 4.3-0
c83e063 Bug #45423: YAML update version