Univention Bugzilla – Bug 45423
No Content-Security-Policy for Portal and Server overview
Last modified: 2020-05-11 20:09:04 CEST
/univention/portal and /univention/server-overview/ doesn't send any Content-Security-Policy response header. This makes these sites more prone to browser vulnerabilities (e.g. XSRF, XSS, ...). As these sites also interact with the UMC-Server and have access to the Session-ID cookie we should add the header there, too.
Possible patch: https://git.knut.univention.de/univention/ucs/tree/jkeiser/bug_45423__content_security_policy
The patch removes univention.conf in prerm. I think we need also "img-src data: *;" if we want to display specific images (e.g. if portal entries can set an external image location). I think we also need frame-src *; connect-src 'self' https://ucs-sso.dev.local/ http://ucs-sso.dev.local/; frame-ancestors 'self' https://ucs-sso.dev.local/ http://ucs-sso.dev.local/;" for supporting passive single sign on renewal in the background if one is logged in. And maybe we need "media-src *;" as well.
a7e3534 Bug #45423: Add Content-Security-Policy to portal and server-overview 95e1191 Bug #45423: Debian changelog 5d4b74c Bug #45423: YAML ef03293 Bug #45423: Merge branch 'jkeiser/45423_add_csp_portal_server_overview' into 4.3-0 c83e063 Bug #45423: YAML update version Package: univention-portal Version: 2.0.1-2A~4.3.0.201804261419 Package: univention-server-overview Version: 1.0.0-3A~4.3.0.201804261423
<http://errata.software-univention.de/ucs/4.3/27.html> <http://errata.software-univention.de/ucs/4.3/28.html>
This change forgot to add the UCR variables which are part of the UCR template to the ucr-commit-trigger variables.