First Last Prev Next    This bug is not in your last search results.
Bug 45599 - Remove deprecated child-src from Content-Security-Policy
Remove deprecated child-src from Content-Security-Policy
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Jannik Ahlers
Johannes Keiser
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-26 10:32 CEST by Florian Best
Modified: 2018-04-18 13:51 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Browser compatibility
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-10-26 10:32:48 CEST 
See https://www.cspvalidator.org/#url=https://demo.univention.de/univention/management/

Warning
1:252: The child-src directive is deprecated as of CSP level 3. Authors who wish to regulate nested browsing contexts and workers SHOULD use the frame-src and worker-src directives, respectively.


Therefore we should remove this from our CSP rules.
Comment 1 Jannik Ahlers univentionstaff 2018-03-14 11:02:38 CET 
I fixed the bug but there's no release scope yet

univention-management-console (10.0.4-5)
5315ee093bfd | Bug #45599: Remove deprecated child-src from Content-Security-Policy
Comment 2 Jannik Ahlers univentionstaff 2018-03-14 16:12:23 CET 
The child-src directive only had to be removed from the conffiles and the ucr variable creation files  of the univention-managemnt-console package.
Comment 3 Johannes Keiser univentionstaff 2018-03-23 11:49:03 CET 
OK child-src is removed from the CSP

The umc/http/content-security-policy/child-src ucr variable is still set if an upgrade is made.

Can u add a dpkg version compare in postinst and unset the ucr variable
Comment 4 Jannik Ahlers univentionstaff 2018-04-04 11:54:09 CEST 
univention-management-console (10.0.4-8)
ab1ac6e731f2 | Bug #45599: remove ucr variable

Successful build
Package: univention-management-console
Version: 10.0.4-8A~4.3.0.201804041148
Branch: ucs_4.3-0
Scope: errata4.3-0

the ucr variable now gets removed.
Comment 5 Jannik Ahlers univentionstaff 2018-04-17 10:22:41 CEST 
univention-management-console (10.0.4-9)
b6f869348b6d | Bug #45599: fix typo

Successful build
Package: univention-management-console
Version: 10.0.4-9A~4.3.0.201804171016
Branch: ucs_4.3-0
Scope: errata4.3-0
Comment 6 Johannes Keiser univentionstaff 2018-04-17 18:19:53 CEST 
OK child-src is removed from the CSP
OK ucr variable for child-src is removed
-> verified
Comment 7 Arvid Requate univentionstaff 2018-04-18 13:51:56 CEST 
<http://errata.software-univention.de/ucs/4.3/18.html>
First Last Prev Next    This bug is not in your last search results.