From stefw at redhat.com Thu Jul 27 10:58:34 2017
Content-Type: multipart/mixed; boundary="===============6502224169687101856=="
MIME-Version: 1.0
From: Stef Walter <stefw at redhat.com>
To: cockpit-devel at lists.fedorahosted.org
Subject: No 'unsafe' Content-Security-Policy in Cockpit
Date: Thu, 27 Jul 2017 12:58:18 +0200
Message-ID: <be7140c1-3384-1e20-0369-93aa98ef7c81@redhat.com>

--===============6502224169687101856==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

The use of 'unsafe-inline' or 'unsafe-eval' or '*' in the
Content-Security-Policy lines of manifest.json files is the equivalent
of 'setenforce 0'.

http://cockpit-project.org/guide/latest/packages.html#package-manifest

It's not okay to disable this security measure for code included in the
Cockpit codebase. This security measure prevents XSS, code-injection and
other security attacks.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

To bring this closer to home, the following aren't allowed:

 * onclick=3D'...' attributes
   -> Attach event handlers from javascript instead.

 * <script> ... </script> inline scripts
   -> Include a script file rather than inline scripts

 * <style> ... </style> inline CSS
   -> Include this in your CSS file rather than inline

 * style=3D'...' attributes
   -> Use your CSS file or javascript to set dynamic styles

 * eval() or Function()
   -> Never evaluate javascript directly

By default Cockpit will refuse to allow them in loaded pages or
javascript ... and we shouldn't use 'unsafe-inline' or 'unsafe-eval' in
the manifest.json file to bypass this.

I've added some testing so that such code in the Cockpit repository will
be detected.

https://github.com/cockpit-project/cockpit/pull/7391

Happy hacking,

Stef


--===============6502224169687101856==
Content-Type: application/pgp-signature
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlHOEVBUkVDQUM4V0lRVEE5bkNadUFqN0Jq
NHNnUkY3K3hFSTJTZGxyd1VDV1huSFNoRWNjM1JsWm5kQWNtVmsKYUdGMExtTnZiUUFLQ1JCNyt4
RUkyU2RscjE0dEFLQ1JVdWVTZG9idVN5ZEJnSmlKQlRsbzI2WVVId0NlSlp3SApTZENkK0pRRXZB
NVlXcDhZQWVLU0JhVT0KPUVHeEEKLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tCg==

--===============6502224169687101856==--