Bug 45423 - No Content-Security-Policy for Portal and Server overview
No Content-Security-Policy for Portal and Server overview
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Johannes Keiser
Ole Schwiegert
Depends on:
  Show dependency treegraph
Reported: 2017-09-20 12:22 CEST by Florian Best
Modified: 2020-05-11 20:09 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
keiser: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-09-20 12:22:14 CEST
/univention/portal and /univention/server-overview/ doesn't send any Content-Security-Policy response header. This makes these sites more prone to browser vulnerabilities (e.g. XSRF, XSS, ...). As these sites also interact with the UMC-Server and have access to the Session-ID cookie we should add the header there, too.
Comment 2 Florian Best univentionstaff 2018-01-23 11:38:20 CET
The patch removes univention.conf in prerm.

I think we need also "img-src data: *;" if we want to display specific images (e.g. if portal entries can set an external image location).

I think we also need frame-src *; connect-src 'self' https://ucs-sso.dev.local/ http://ucs-sso.dev.local/; frame-ancestors 'self' https://ucs-sso.dev.local/ http://ucs-sso.dev.local/;" for supporting passive single sign on renewal in the background if one is logged in.

And maybe we need "media-src *;" as well.
Comment 3 Johannes Keiser univentionstaff 2018-04-26 14:27:26 CEST
a7e3534 Bug #45423: Add Content-Security-Policy to portal and server-overview
95e1191 Bug #45423: Debian changelog
5d4b74c Bug #45423: YAML
ef03293 Bug #45423: Merge branch 'jkeiser/45423_add_csp_portal_server_overview' into 4.3-0
c83e063 Bug #45423: YAML update version

Package: univention-portal
Version: 2.0.1-2A~

Package: univention-server-overview
Version: 1.0.0-3A~
Comment 5 Florian Best univentionstaff 2020-05-11 20:09:04 CEST
This change forgot to add the UCR variables which are part of the UCR template to the ucr-commit-trigger variables.