Univention Bugzilla – Full Text Bug Listing |
Summary: | No Content-Security-Policy for Portal and Server overview | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UMC (Generic) | Assignee: | Johannes Keiser <keiser> |
Status: | CLOSED FIXED | QA Contact: | Ole Schwiegert <schwiegert> |
Severity: | normal | ||
Priority: | P5 | CC: | keiser, requate |
Version: | UCS 4.2 | Flags: | keiser:
Patch_Available+
|
Target Milestone: | UCS 4.3-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=45599 | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Florian Best
2017-09-20 12:22:14 CEST
Possible patch: https://git.knut.univention.de/univention/ucs/tree/jkeiser/bug_45423__content_security_policy The patch removes univention.conf in prerm. I think we need also "img-src data: *;" if we want to display specific images (e.g. if portal entries can set an external image location). I think we also need frame-src *; connect-src 'self' https://ucs-sso.dev.local/ http://ucs-sso.dev.local/; frame-ancestors 'self' https://ucs-sso.dev.local/ http://ucs-sso.dev.local/;" for supporting passive single sign on renewal in the background if one is logged in. And maybe we need "media-src *;" as well. a7e3534 Bug #45423: Add Content-Security-Policy to portal and server-overview 95e1191 Bug #45423: Debian changelog 5d4b74c Bug #45423: YAML ef03293 Bug #45423: Merge branch 'jkeiser/45423_add_csp_portal_server_overview' into 4.3-0 c83e063 Bug #45423: YAML update version Package: univention-portal Version: 2.0.1-2A~4.3.0.201804261419 Package: univention-server-overview Version: 1.0.0-3A~4.3.0.201804261423 <http://errata.software-univention.de/ucs/4.3/27.html> <http://errata.software-univention.de/ucs/4.3/28.html> This change forgot to add the UCR variables which are part of the UCR template to the ucr-commit-trigger variables. |