Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-1715

[RFE] Add Support for Configuring the base-uri Directive in Content Security Policy (CSP) for AAP

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 2.4
    • aap-ui, controller
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      The current Content Security Policy (CSP) configuration in Ansible Automation Platform (AAP) 2.4 is missing the base-uri directive. This gap poses a potential security risk, as indicated by CSP evaluators.

      The base-uri directive is missing in the CSP configuration for AAP 2.4. According to the CSP Evaluator Tool (https://csp-evaluator.withgoogle.com/), this allows the injection of base tags, which attackers can exploit to redirect relative script URLs to malicious domains.

      Steps to Reproduce:

      1. Access the AAP Controller via a Chrome browser.
      2. Open Chrome’s Inspect Mode and navigate to the Head section under the Elements tab.
      3. Identify the CSP header under <meta http-equiv="Content-Security-Policy">.
      4. Copy the CSP header and evaluate it using the CSP Evaluator Tool.

      Example CSP Header Identified:
      <meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' app.pendo.io data.pendo.io pendo-static-5182814785896448.storage.googleapis.com app.eu.pendo.io data.eu.pendo.io pendo-eu-static-5182814785896448.storage.googleapis.com ws: wss:; style-src 'self' 'unsafe-inline' app.pendo.io cdn.pendo.io pendo-static-5182814785896448.storage.googleapis.com app.eu.pendo.io cdn.eu.pendo.io pendo-eu-static-5182814785896448.storage.googleapis.com; script-src 'self' 'nonce-jDSxYugdk/iewlthsEiTQPLJT6ORp47Wc3GGKSSqpYI=' app.pendo.io pendo-io-static.storage.googleapis.com cdn.pendo.io pendo-static-5182814785896448.storage.googleapis.com data.pendo.io pendo-eu-static.storage.googleapis.com cdn.eu.pendo.io pendo-eu-static-5182814785896448.storage.googleapis.com data.eu.pendo.io; img-src 'self' cdn.pendo.io app.pendo.io pendo-static-5182814785896448.storage.googleapis.com data.pendo.io cdn.eu.pendo.io app.eu.pendo.io pendo-eu-static-5182814785896448.storage.googleapis.com data.eu.pendo.io data:; worker-src 'self' blob: ;">
      CSP Evaluator Results:

      • Finding: Missing base-uri directive.
      • Recommendation: Configure the base-uri directive to "none" or "self" to prevent the injection of malicious base tags.

      Concerns:

      • The Red Hat solution article https://access.redhat.com/solutions/7062521 indicates that custom Nginx headers can be configured. However, this approach does not allow for adding the base-uri directive to the CSP.
      • The related RFE, AAPRFE-1469, discusses broader CSP improvements, but it is unclear if the base-uridirective will be addressed as part of this RFE or separately.

      Request:
      Enable support for configuring the base-uri directive in the CSP settings for AAP. This directive should be configurable to 'none' or 'self' to align with security best practices.

      Business Impact:
      Adding the base-uri directive will enhance the security posture of AAP deployments by mitigating the risk of CSP bypass via base tag injection. This is critical for ensuring secure environments for enterprise customers.

      References:

              Unassigned Unassigned
              rhn-support-nikhjain Nikhil Jain
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: