Add CSP protection to views
Description
Environment
clones
is related to
Confluence content
Activity
Philip Smart April 5, 2024 at 1:50 PM
Added a way to turn off the CSP rules with the system-wide idp.encoders.cspEnabled property from 5.1.
Philip Smart November 2, 2023 at 9:52 AM
Add the hash and nonce generator to the encoder beans. Added a CSP header to the OIDC request form post velocity template.
In branch dev/JOIDCRP-49
Philip Smart October 27, 2023 at 11:08 AM(edited)
Ah no. The new RP can not be backward compatible with an older version of commons because of course we need to inject the new digester and nonce generator.
Philip Smart October 27, 2023 at 11:02 AM
As well as disabling the CSP header, it should handle a situation where it does not have the cspDigester in the context. So that it remains compatible with older versions of commons that do not inject it.
Philip Smart October 27, 2023 at 10:43 AM(edited)
I think the current plan (from checking the https://shibboleth.atlassian.net/browse/IDP-2183 branch) is not to include object-src ‘none'; script-src 'none' into the base CSP policy — which makes sense as it depends on what each view actually requires. so I will leave them on the view.
The views need CSP rules, probably just blocking JS as I don’t think they include any, but need to check. Should avoid any incompatibility with 5.0 though so will need to define some relevant beans, either here or in commons depending on what makes sense.
If the views are internal and not generally exposed to deployers, we’ll want to consider options that leave it off by default internally to avoid browser issues, but could turn the feature on by overriding a property in new installs. If the views are external files, we can just change them since upgrades don’t get those changes anyway.