Bug 49912 – connect-src and frame-ancestors CSP are broken on slave

Bug 49912 - connect-src and frame-ancestors CSP are broken on slave


Summary:	connect-src and frame-ancestors CSP are broken on slave

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-07-23 17:23 CEST by Jürn Brodersen
Modified:	2023-01-18 13:21 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jürn Brodersen

2019-07-23 17:23:43 CEST

connect-src and frame-ancestors CSP are broken on slave

I got the following errors on an school slave (in the browser console):
'''
(index):1 The source list for Content Security Policy directive 'connect-src' contains an invalid source: 'https:///'. It will be ignored.
(index):1 The source list for Content Security Policy directive 'connect-src' contains an invalid source: 'http:///'. It will be ignored.
(index):1 The source list for Content Security Policy directive 'frame-ancestors' contains an invalid source: 'https:///'. It will be ignored.
(index):1 The source list for Content Security Policy directive 'frame-ancestors' contains an invalid source: 'http:///'. It will be ignored.
'''

I guess the ucr variable "ucs/server/sso/fqdn" was set after "/etc/apache2/sites-available/univention.conf" was created.


On a side note, I changed connect-src and frame-ancestors to include only 'self', with saml (including our passive iframe login) still working.
Is ucs-sso even needed in these CSP?