Univention Bugzilla – Bug 45599
Remove deprecated child-src from Content-Security-Policy
Last modified: 2018-04-18 13:51:56 CEST
See https://www.cspvalidator.org/#url=https://demo.univention.de/univention/management/ Warning 1:252: The child-src directive is deprecated as of CSP level 3. Authors who wish to regulate nested browsing contexts and workers SHOULD use the frame-src and worker-src directives, respectively. Therefore we should remove this from our CSP rules.
I fixed the bug but there's no release scope yet univention-management-console (10.0.4-5) 5315ee093bfd | Bug #45599: Remove deprecated child-src from Content-Security-Policy
The child-src directive only had to be removed from the conffiles and the ucr variable creation files of the univention-managemnt-console package.
OK child-src is removed from the CSP The umc/http/content-security-policy/child-src ucr variable is still set if an upgrade is made. Can u add a dpkg version compare in postinst and unset the ucr variable
univention-management-console (10.0.4-8) ab1ac6e731f2 | Bug #45599: remove ucr variable Successful build Package: univention-management-console Version: 10.0.4-8A~4.3.0.201804041148 Branch: ucs_4.3-0 Scope: errata4.3-0 the ucr variable now gets removed.
univention-management-console (10.0.4-9) b6f869348b6d | Bug #45599: fix typo Successful build Package: univention-management-console Version: 10.0.4-9A~4.3.0.201804171016 Branch: ucs_4.3-0 Scope: errata4.3-0
OK child-src is removed from the CSP OK ucr variable for child-src is removed -> verified
<http://errata.software-univention.de/ucs/4.3/18.html>